Wireshark-bugs: [Wireshark-bugs] [Bug 11643] build error on Debian testing: Couldn't compile Qt

Date: Sat, 14 Nov 2015 22:59:16 +0000

Comment # 10 on bug 11643 from
(In reply to Guy Harris from comment #8)
> Is there some compelling reason to build *everything* position-independent? 
> With autotools, we only build dumpcap PIE, as it's the only software running
> with elevated privileges.

I once saw a presentation where somebody exploited a vulnerability in Wireshark
and managed to launch notepad by simply opening a network capture. I hope that
by (at least supporting the option to) build with -fPIE by default, such
vulnerabilities become harder to exploit. (looking at
https://wireshark.org/security/ should be a reason to worry)

Kali Linux runs everything as root by default. It's their choice, but I would
rather have some additional defenses before the user is fully owned. Maybe it
already uses PIE (IIRC it was based off Ubuntu, and later Debian?).

> dumpcap doesn't use Qt, so if we only build it PIE, and don't build anything
> else PIE, maybe this whole mess can be avoided.  (Doing so seems to fix the
> problem on my Ubuntu 15.10 VM.)

Does removal of the broken check in https://code.wireshark.org/review/11618 fix
your build? I would aim at fixing support for -fPIE rather than removing it
completely (as is done in 11835). Maybe put it in an -DENABLE_PIE option (or
--with-pie for autotools), but at least make sure that the code can be compiled
with it.


You are receiving this mail because:
  • You are watching all bug changes.