Commit Graph

14 Commits

Author SHA1 Message Date
Wladimir J. van der Laan
a25ee06cc1 Merge #17787: scripts: add MACHO PIE check to security-check.py
7c9e821c4e6cb186208ead9c8df616d1f393a49a scripts: add MACHO NOUNDEFS check to security-check.py (fanquake)
4ca92dc6d3f3e487d63286d8871d1829b3d279ff scripts: add MACHO PIE check to security-check.py (fanquake)

Pull request description:

  This uses `otool -vh` to print the mach header and look for the `PIE` flag:
  ```bash
  otool -vh src/bitcoind
  Mach header
        magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
  MH_MAGIC_64  X86_64        ALL LIB64     EXECUTE    24       2544   NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
  ```

  From [`mach-o/loader.h`](https://opensource.apple.com/source/cctools/cctools-927.0.2/include/mach-o/loader.h.auto.html):
  ```c
  #define	MH_PIE 0x200000			/* When this bit is set, the OS will
  					   load the main executable at a
  					   random address.  Only used in
  					   MH_EXECUTE filetypes. */
  ```

ACKs for top commit:
  laanwj:
    code review ACK 7c9e821c4e6cb186208ead9c8df616d1f393a49a

Tree-SHA512: 5ba2f60440d0e31c70371a355c91ca4f723d80f7287d04e2098bf5b11892cc74216ff8f1454603c4db9675d4f7983614843b992b8dcfca0309aadf2aa7ab2e4b
2022-06-08 12:36:52 +07:00
Wladimir J. van der Laan
50168b66a2
Merge #14848: docs: Fix broken Gmane URL in security-check.py
af1ed206f Fix broken Gmane URLs (Craig Younkins)

Pull request description:

  This is an automated pull request to fix broken Gmane URLs.

    Here's what I did:
    First I searched for Gmane URLs in your repo. For each Gmane URL, I checked if the content was available at the URL. For URLs where the content was not available, I first checked the `article` subdomain of Gmane, which has some content not available on the `thread` and `comments` subdomains.

    If the content wasn't anywhere on Gmane's web interface, I resolved the URL to a [Message-ID](https://en.wikipedia.org/wiki/Message-ID) via the Gmane NNTP interface and tried to find the Message-ID on other mailing list archivers. I checked `mail-archive.com`, then `marc.info`, then `lists.debian.org` and so on.

    If a new URL was found, I replaced it in this pull request. If the content wasn't found, I left the link alone.

Tree-SHA512: b46258de485a411fc4fbd6b8fb044c30fa062fd3a7ef78c6b8b405802c91283bc5c9f7f8b8c83385f3a12fe39578ea0695efd19ce19f3bb4606fbbd1be894d0e
2021-07-08 11:57:04 -05:00
MarcoFalke
18eebe5251 Merge #13210: Enable W191 indentation contains tabs and W291 trailing whitespace flake8 checks for Python files
0d31ef4762 Enable W191 and W291 flake8 checks. Remove trailing whitespace from Python files. Convert tabs to spaces. (John Bampton)

Pull request description:

Tree-SHA512: d062434310d6232469d7ca8e5f2ddb7db7e85cb2a299e609d98bacc318368e43e0777c9f4966df03d50f526bbe27207faa87a7464e62e14671194459a06ad969
2020-07-29 10:57:08 -05:00
Wladimir J. van der Laan
f0b1c562a1 Merge #13764: contrib: Fix test-security-check fail in Ubuntu 18.04
1e60713a68296a0ff221befb48b2958fbf019ebf contrib: Fix test-security-check fail in Ubuntu 18.04 (Chun Kuan Lee)

Pull request description:

  - Fix test-security-check fail in Ubuntu 18.04. Those flags are enabled by default, so we must specify `-no` to make the executable does 'not' have those attributes.
  - Drop HIGH_ENTROPY_VA. After update our gitian system to Bionic, the compiler should support HIGH_ENTROPY_VA

Tree-SHA512: 78c1f2aae1253ddd52faa1af569b7151a503a217c7ccbe21b8004d8910c45d8a27ff04695eacbdadd7192d2c91c0d59941ca20c651dd2d5052b9999163a11ae4
2020-07-28 21:35:31 -05:00
Wladimir J. van der Laan
c72e09442b Merge #13647: Scripts and tools: Fix BIND_NOW check in security-check.py
37d363dd4acf7d41196d44b295593019add241c3 Tools: fix BIND_NOW check in security-check.py (Conrado Gouvea)

Pull request description:

  Previously, the BIND_NOW check would work only if it was the first value in FLAGS.

Tree-SHA512: 39cd83f673a6b521803be5585ada516f2db4eede718f0c5aea3377825ed1adcefed5bbb41dd9a5f24a26f7d27116cfc81bde7e26283232593b72768c5ae3d321
2020-07-26 19:39:13 -05:00
MarcoFalke
561ec27683 Merge #10781: Python cleanups
78214588d Use for-loop instead of list comprehension (practicalswift)
823979436 Use the variable name _ for unused return values (practicalswift)
2e6080bbf Remove unused variables and/or function calls (practicalswift)
9b94054b7 Avoid reference to undefined name: stderr does not exist, sys.stderr does (practicalswift)
51cb6b822 Use print(...) instead of undefined printf(...) (practicalswift)
25cd520fc Use sys.exit(...) instead of exit(...): exit(...) should not be used in programs (practicalswift)

Pull request description:

  Python cleanups:
  * Avoid reference to undefined name: `stderr` does not exist, `sys.stderr` does
  * Use `print(...)` instead of undefined `printf(...)`
  * Avoid redefinition of variable (`tx`) in list comprehension
  * Remove unused variables and/or function calls
  * Use `sys.exit(...)` instead of `exit(...)`: [`exit(...)` should not be used in programs](https://github.com/bitcoin/bitcoin/pull/10753#discussion_r125935027)

Tree-SHA512: 1238dfbc1d20f7edadea5e5406a589f293065638f6234809f0d5b6ba746dffe3d276bc5884c7af388a6c798c61a8759faaccf57f381225644754c0f61914eb4b
2020-01-02 22:01:29 -06:00
Alexander Block
7cf9572c26 Backport Bitcoin #11881: Remove Python2 support (#2224)
* Merge #11881: Remove Python2 support

1874058 Make base58 python contrib code work with python3 (Evan Klitzke)
bc6fdf2 Change all python files to use Python3 (John Newbery)

Pull request description:

  Following discussion here: https://github.com/bitcoin/bitcoin/pull/11843#issuecomment-351033742

  It's easier for maintainers if all python tools/scripts support only a single version of Python. There are only a few scripts that aren't explicitly python3 at this point, so this PR changes those remaining scripts to explicitly require python3.

Tree-SHA512: 5d38eef6e0fc7d8515e23a1f4c75e8b4160fd0fe23cba52a1f41689b114e54a9e503e0724829e8b41982ef98f2d113df80d9e238213b74f09ceaed0344a19e24

* Merge #12829: Python3 fixup

f50975b [contrib] fixup symbol-check.py Python3 support (John Newbery)
5de2b18 [contrib] fixup security-check.py Python3 support (John Newbery)

Pull request description:

  security-check.py and symbol-check.py were broken by #11881. Fix them.

Tree-SHA512: 86de3d6dc3292b1ae4cc04c2d7d7dbbf39c9270551d7b224b8d8b19e3184c30c897dbf823200403706d06bb405c0decad5cfd690cb2c0312992a235a4ffcf6bf
2018-08-13 19:07:52 +03:00
Wladimir J. van der Laan
8edc2a78cb Merge #8249: Enable (and check for) 64-bit ASLR on Windows
62c2915 build: supply `-Wl,--high-entropy-va` (Wladimir J. van der Laan)
9a75d29 devtools: Check for high-entropy ASLR in 64-bit PE executables (Wladimir J. van der Laan)
2018-01-11 13:22:22 +01:00
Wladimir J. van der Laan
473ffa0641 Merge #8702: [copyright] add MIT License copyright header to remaining Python files
4677b19 [copyright] add MIT License copyright header to remaining Python files (isle2983)
2018-01-11 13:20:57 +01:00
MarcoFalke
bc659c3e6e Merge #8270: Tests: Use portable #! in python scripts (/usr/bin/env)
7b01ce2 Favour python over python2 as per PR #7723 (Matthew King)
873e81f Use portable #! in python scripts (/usr/bin/env) (Matthew King)
2018-01-08 18:04:55 +01:00
Wladimir J. van der Laan
a9a209f586 Merge #7723: build: python 3 compatibility
18f05c7 build: python 3 compatibility (Wladimir J. van der Laan)
2017-12-19 13:18:30 +01:00
Wladimir J. van der Laan
38080259be Merge pull request #7313
0331aa3 Fixing typos on security-check.py and torcontrol.cpp (calebogden)
2017-12-10 00:04:01 +01:00
Cory Fields
aa26ee0101
release: Add security/export checks to gitian and fix current failures
- fix parsing of BIND_NOW with older readelf
- add _IO_stdin_used to ignored exports

For details see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634261#109

- add check-symbols and check-security make targets

These are not added to the default checks because some of them depend on
release-build configs.

- always link librt for glibc back-compat builds

glibc absorbed clock_gettime in 2.17. librt (its previous location) is safe to
link in anyway for back-compat.

Fixes #7420

- add security/symbol checks to gitian

Github-Pull: #7424
Rebased-From: cd27bf51e0 475813ba5b f3d3eaf78e a8ce872118 a81c87fafc
2016-01-27 11:33:33 +01:00
Wladimir J. van der Laan
579b863cd7 devtools: Add security-check.py
Perform the following ELF security checks:

- PIE: Check for position independent executable (PIE), allowing for address space randomization
- NX: Check that no sections are writable and executable (including the stack)
- RELRO: Check for read-only relocations, binding at startup
- Canary: Check for use of stack canary

Also add a check to symbol-check.py that checks that only the subset of
allowed libraries is imported (to avoid incompatibilities).
2015-10-22 03:35:38 +02:00