Explain why Get-HardenFlags currently fails.

author Gerald Combs <gerald@wireshark.org>

Fri, 30 Oct 2015 18:18:45 +0000 (11:18 -0700)

committer Gerald Combs <gerald@wireshark.org>

Fri, 30 Oct 2015 18:31:00 +0000 (18:31 +0000)
author Gerald Combs <gerald@wireshark.org>
Fri, 30 Oct 2015 18:18:45 +0000 (11:18 -0700)
committer Gerald Combs <gerald@wireshark.org>
Fri, 30 Oct 2015 18:31:00 +0000 (18:31 +0000)
diff --git a/tools/Get-HardenFlags.ps1 b/tools/Get-HardenFlags.ps1

index 3e2ea3f3b47186850bd1f096e1638563438f22f9..fcb3edf73a3c3da589d0c3d71e914a0433b58359 100644 (file)
--- a/tools/Get-HardenFlags.ps1
+++ b/tools/Get-HardenFlags.ps1
@@ -28,6 +28,21 @@
  #   on all the binaries in the distribution, and then filters
  #   for the NXCOMPAT and DYNAMICBASE flags.
  
+# This script will probably fail for the forseeable future.
+#
+# Many of our third-party libraries are compiled using MinGW-w64. Its version
+# of `ld` doesn't enable the dynamicbase, nxcompat, or high-entropy-va flags
+# by default. When you *do* pass --dynamicbase it strips the relocation
+# section of the executable:
+#
+#   https://sourceware.org/bugzilla/show_bug.cgi?id=19011
+#
+# As a result, none of the distributions that produce Windows applications
+# and libraries have any sort of hardening flags enabled:
+#
+#   http://mingw-w64.org/doku.php/download
+#
+
  <#
  .SYNOPSIS
  Checks the NXCOMPAT and DYNAMICBASE flags on all the binaries.
author	Gerald Combs <gerald@wireshark.org>
	Fri, 30 Oct 2015 18:18:45 +0000 (11:18 -0700)
committer	Gerald Combs <gerald@wireshark.org>
	Fri, 30 Oct 2015 18:31:00 +0000 (18:31 +0000)