Logged In: YES user_id=21627 Can you please elaborate? What is an "executable stack", why does Python have one, why is that bad, and how does your patch fix that?
Logged In: YES user_id=1096685 It is probably best summed up here -> http://www.gentoo.org/proj/en/hardened/gnu-stack.xml but put simply, executable stacks don't work on hardened systems. The simplest way to fix them is to explicitly tell gcc to compile libraries without executable stacks.
Logged In: YES user_id=21627 Ah, so the patch doesn't actually fix that Python 2.5 contains executable stacks. It rather makes it execute successfully on a hardened system. Still, I don't understand what you mean by "Python contains executable stacks". Where does it do so? And what precisely breaks on a hardened system when Python is running on it?
Logged In: YES user_id=1096685 No, sorry I've badly described the situation in the previous post. This patch explicitly tells GCC to not make the stack executable for Python-2.5c1/Modules/_ctypes/libffi/src/x86/sysv.S , this means that it should execute successfully on a hardened system. Without this patch, GCC guesses (incorrectly) that sysv.o requires an executable stack, and sets it accordingly. This can cause execution to fail if Exec Shield is enabled on hardened systems. Basically its just better practice to explicitly mark whether assembly code needs an executable stack or not, and for the most part, it doesn't. For more info (since I'm not brilliant at explaining this) see: http://people.redhat.com/drepper/nonselsec.pdf (particularly Appendix A and Exec Shield) http://people.redhat.com/drepper/selinux-mem.htmlhttp://www.gentoo.org/proj/en/hardened/gnu-stack.xml or drop into #gentoo-hardened on Freenode.
