You are not logged in.

#1 2008-12-13 00:14:26

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

PAX (grsec) and openssl

Hello.

I applied the PaX patch to my custom kernel empowering Arch Linux. And I had the surprise that OpenSSL (libcrypto.so to be more precise) requested executable stack to run. After 2 days of "playing" around with PaX specific tools (user-level apps like paxctl/chpax) and reconfigurations at the kernel level... I found out a simple solution to this problem on a Debian or Debian-related forum (can't remember the link). The solution was to compile openssl using "-Wa,--noexecstack" on the config line.
So, I patched the PKGBUILD for openssl to do this, and now everything is working fine. Do you think you can enable this patch for the future builds of the openssl package? Here is the diff from the original PKGBUILD:

--- /var/abs/core/openssl/PKGBUILD    2008-12-12 07:04:32.000000000 +0200
+++ PKGBUILD    2008-12-12 23:54:41.000000000 +0200
@@ -3,7 +3,7 @@
 
 pkgname=openssl
 pkgver=0.9.8i
-pkgrel=2
+pkgrel=2.1
 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
 arch=('i686' 'x86_64')
 url='http://www.openssl.org'
@@ -19,7 +19,7 @@
     cd $startdir/src/$pkgname-$pkgver
 
     patch -p1 -i ../openssl-0.9.8g-fix_manpages-1.patch  || return 1
-    ./config --prefix=/usr --openssldir=/etc/ssl shared
+    ./config --prefix=/usr --openssldir=/etc/ssl -Wa,--noexecstack shared
 
     make || return 1
     make INSTALL_PREFIX=$startdir/pkg MANDIR=/usr/share/man install

Thanks for your attention!

Later edit: Here is the link to the mailing list where I found the solution (not the forum how I mistakenly stated earlier). http://www.mail-archive.com/debian-bugs … 47908.html

Last edited by ckristi (2008-12-13 00:20:00)


In love I believe and in Linux I trust

Offline

#2 2008-12-13 11:54:19

wuischke
Member
From: Suisse Romande
Registered: 2007-01-06
Posts: 630

Re: PAX (grsec) and openssl

I would like to second this request.

Offline

#3 2008-12-13 19:39:29

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

Re: PAX (grsec) and openssl

@wuischke: Then please support me here http://bugs.archlinux.org/task/12434


In love I believe and in Linux I trust

Offline

#4 2008-12-14 19:38:38

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

Re: PAX (grsec) and openssl

Pierre Schmitz has built new packages (openssl 0.9.8i-3) and put them in testing. Please do test them to be sure no Arch user will suffer from this change.


In love I believe and in Linux I trust

Offline

Board footer

Powered by FluxBB