[#6410] ASLR and DEP not enable in EXE and DLL's

2013-01-13 06:56
Submitted by:
Ruy Urban (faois)
Assigned to:
Timo Schulz (twoaday)
Operating System:
ASLR and DEP not enable in EXE and DLL's

Detailed description
It would be nice for you to enable ASLR (Address space layout randomization) and DEP (Data Execution Prevention) in all exe and dll's that are loaded (WinPT.exe, PTD.dll, libgpgme-11.dll and libgpg-error-0.dll) in order to prevent some type of malware.
Message  ↓
Date: 2013-01-19 15:24
Sender: Ruy Urban

So, if I understand correctly, you can just grab the source code, that is what they make available, set the ASLR and DEP flags enabled, and compile it... correct?
You can do that for your project (WinPT) correct? As long as you make available the source to the community with the changes, correct? That would be a nice improvement and probably something that takes little time and afford I think. If you can please do it.
I will contact the GnuPG guys, but I have contact them in the past and never received any answer whatsoever... sou I'm not hopeful that they will correct this library's.

Date: 2013-01-19 15:09
Sender: Timo Schulz

To shed some light on the gpg components issue ... I'm familiar with the libraries and also how to compile them for Win32/Win64. They utilize the same cross-platform compiler strategy that is used in WinPT.

Thus, it's no problem to compile libgpg-error and libgpgme with these flags enabled. If the authors are interested to make this change permanently, have to be discussed with them.

Date: 2013-01-19 00:55
Sender: Ruy Urban

Hi again!
About the libgpgme and libgpg-error libraries I've found here: ftp://ftp.gnupg.org/gcrypt/libgcrypt/ and ftp://ftp.gnupg.org/gcrypt/libgpg-error/ but they don't contain the Windows binary version.

So someone has compiled it to windows binary .dll And I can't find it, to ask for a new compiled version with the ASLR and DEP enabled.

Should I contact GnuPG project to ask them to include ASLR and DEP "flag" on their source? Because I'm not sure if that is compatible or not with the other Operating Systems. And that would be enough for you to compile it with the instructions to Windows? Or the other person that did the .dll

The only thing I've ever compiled in the past, was GnuPG 1.4.x version in order to make bigger RSA keys, and after following a never ending set of instructions... I'm not programmer or something closed to that :p

Date: 2013-01-16 18:54
Sender: Timo Schulz

No problem. Thanks for the reminder. It's definitely important and because it's very easy to "fix", a great idea.

Just a reminder, for the official libgpgme and libgpg-error libraries, you have to ask the author(s) of this project, since WinPT is just using them.

Date: 2013-01-15 12:56
Sender: Ruy Urban

Thanks for the update :)
Yes, I should have notice that this should be considered feature request since is not a bug by it self.
Keep the good work going.

Date: 2013-01-13 14:44
Sender: Timo Schulz

Moved from Bugs to Feature Requests

Date: 2013-01-13 14:44
Sender: Timo Schulz

Good idea. I added support for the two features in the current SVN repository.

Since this is no bug, I moved the item to 'Feature Request'.

No attached documents

Field Old Value Date By
typeBugs2013-01-13 14:44Timo Schulz
assigned_tonone2013-01-13 14:44Timo Schulz