Closed
Description
I am inquiring whether the libgit2sharp native binaries for Linux and macOS are compiled with specific security flags that may differ with the flags on libgit 2 and if not and whether anyone would know why these flags may not be currently supported. Finally might there be a contribution guide to help contribute these changes without causing any regression? I would be happy to help create a pr to get these in
Flags:
-gdwarf-5to ensure that debugging dwarf version used is 5 for mac binaries.-Wl,-z,nowto ensure some relocation data is marked as read-only after the executable is loaded.-D_FORTIFY_SOURCE=2when optimization level 2 is enabled (-O2) some light reading on this shows that it can cause some regressions, Is this the reason it is not used as libgit2 seems to have -o2 as one of the default flags.--fstack-protector-strongor--fstack-protector-allto prevent stack-based buffer overflows I can see that the DEP flags are set so maybe this may not be needed.
The reason I have this query is because BinSkim flags the 1.8.4 release (probably older ones as well) for the following rules.
BinSkim Rules:
-
Rule BA3004.GenerateRequiredSymbolFormat
- Ensures debugging dwarf version used is 5. The dwarf version 5 contains more information and should be used.
-
Rule BA3011.EnableBindNow
- Ensures some relocation data is marked as read-only after the executable is loaded and moved below the
.datasection in memory.
- Ensures some relocation data is marked as read-only after the executable is loaded and moved below the
-
Rule BA3030.UseGccCheckedFunctions
- GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string.
-
Rule BA3003.EnableStackProtector
- Ensures all functions that use buffers over a certain size will use a stack cookie to prevent stack-based buffer overflows.
I will appreciate any assistance on these.
Metadata
Metadata
Assignees
Labels
No labels