Comment # 10
on bug 11643
from Peter Wu
(In reply to Guy Harris from comment #8)
> Is there some compelling reason to build *everything* position-independent?
> With autotools, we only build dumpcap PIE, as it's the only software running
> with elevated privileges.
I once saw a presentation where somebody exploited a vulnerability in Wireshark
and managed to launch notepad by simply opening a network capture. I hope that
by (at least supporting the option to) build with -fPIE by default, such
vulnerabilities become harder to exploit. (looking at
https://wireshark.org/security/ should be a reason to worry)
Kali Linux runs everything as root by default. It's their choice, but I would
rather have some additional defenses before the user is fully owned. Maybe it
already uses PIE (IIRC it was based off Ubuntu, and later Debian?).
> dumpcap doesn't use Qt, so if we only build it PIE, and don't build anything
> else PIE, maybe this whole mess can be avoided. (Doing so seems to fix the
> problem on my Ubuntu 15.10 VM.)
Does removal of the broken check in https://code.wireshark.org/review/11618 fix
your build? I would aim at fixing support for -fPIE rather than removing it
completely (as is done in 11835). Maybe put it in an -DENABLE_PIE option (or
--with-pie for autotools), but at least make sure that the code can be compiled
with it.
You are receiving this mail because:
- You are watching all bug changes.
