Merge branch 'maint-0.2.9' into release-0.2.9
This commit is contained in:
commit
84a9ff0feb
|
@ -0,0 +1,8 @@
|
||||||
|
o Major bugfixes (security):
|
||||||
|
- Downgrade the "-ftrapv" option from "always on" to "only on when
|
||||||
|
--enable-expensive-hardening is provided." This hardening option, like
|
||||||
|
others, can turn survivable bugs into crashes--and having it on by
|
||||||
|
default made a (relatively harmless) integer overflow bug into a
|
||||||
|
denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
|
||||||
|
0.2.9.1-alpha.
|
||||||
|
|
15
configure.ac
15
configure.ac
|
@ -761,14 +761,15 @@ m4_ifdef([AS_VAR_IF],[
|
||||||
TOR_CHECK_CFLAGS(-fPIE)
|
TOR_CHECK_CFLAGS(-fPIE)
|
||||||
TOR_CHECK_LDFLAGS(-pie, "$all_ldflags_for_check", "$all_libs_for_check")
|
TOR_CHECK_LDFLAGS(-pie, "$all_ldflags_for_check", "$all_libs_for_check")
|
||||||
fi
|
fi
|
||||||
TOR_TRY_COMPILE_WITH_CFLAGS(-ftrapv, also_link, CFLAGS_FTRAPV="-ftrapv", true)
|
|
||||||
TOR_TRY_COMPILE_WITH_CFLAGS(-fwrapv, also_link, CFLAGS_FWRAPV="-fwrapv", true)
|
TOR_TRY_COMPILE_WITH_CFLAGS(-fwrapv, also_link, CFLAGS_FWRAPV="-fwrapv", true)
|
||||||
if test "$tor_cv_cflags__ftrapv" = "yes" && test "$tor_can_link__ftrapv" != "yes"; then
|
|
||||||
AC_MSG_WARN([The compiler supports -ftrapv, but for some reason I was not able to link with -ftrapv. Are you missing run-time support? Run-time hardening will not work as well as it should.])
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if test "x$enable_expensive_hardening" = "xyes"; then
|
if test "x$enable_expensive_hardening" = "xyes"; then
|
||||||
|
TOR_TRY_COMPILE_WITH_CFLAGS(-ftrapv, also_link, CFLAGS_FTRAPV="-ftrapv", true)
|
||||||
|
if test "$tor_cv_cflags__ftrapv" = "yes" && test "$tor_can_link__ftrapv" != "yes"; then
|
||||||
|
AC_MSG_WARN([The compiler supports -ftrapv, but for some reason I was not able to link with -ftrapv. Are you missing run-time support? Run-time hardening will not work as well as it should.])
|
||||||
|
fi
|
||||||
|
|
||||||
if test "$tor_cv_cflags__ftrapv" != "yes"; then
|
if test "$tor_cv_cflags__ftrapv" != "yes"; then
|
||||||
AC_MSG_ERROR([You requested expensive hardening, but the compiler does not seem to support -ftrapv.])
|
AC_MSG_ERROR([You requested expensive hardening, but the compiler does not seem to support -ftrapv.])
|
||||||
fi
|
fi
|
||||||
|
@ -1819,7 +1820,7 @@ if test "x$enable_gcc_warnings_advisory" != "xno"; then
|
||||||
-Wstatic-float-init
|
-Wstatic-float-init
|
||||||
-Wstatic-in-inline
|
-Wstatic-in-inline
|
||||||
-Wstatic-local-in-inline
|
-Wstatic-local-in-inline
|
||||||
-Wstrict-overflow=2
|
-Wstrict-overflow=1
|
||||||
-Wstring-compare
|
-Wstring-compare
|
||||||
-Wstring-conversion
|
-Wstring-conversion
|
||||||
-Wstrlcpy-strlcat-size
|
-Wstrlcpy-strlcat-size
|
||||||
|
@ -1864,6 +1865,10 @@ if test "x$enable_gcc_warnings_advisory" != "xno"; then
|
||||||
-Wzero-length-array
|
-Wzero-length-array
|
||||||
], [ TOR_CHECK_CFLAGS([warning_flag]) ])
|
], [ TOR_CHECK_CFLAGS([warning_flag]) ])
|
||||||
|
|
||||||
|
dnl We should re-enable this in some later version. Clang doesn't
|
||||||
|
dnl mind, but it causes trouble with GCC.
|
||||||
|
dnl -Wstrict-overflow=2
|
||||||
|
|
||||||
dnl These seem to require annotations that we don't currently use,
|
dnl These seem to require annotations that we don't currently use,
|
||||||
dnl and they give false positives in our pthreads wrappers. (Clang 4)
|
dnl and they give false positives in our pthreads wrappers. (Clang 4)
|
||||||
dnl -Wthread-safety
|
dnl -Wthread-safety
|
||||||
|
|
Loading…
Reference in New Issue