the SSP test compiles this simple code: #include <stdlib.h> int main(void){exit(0);} while that works fine for testing the -fstack-protector-all flag, it's insufficient for testing the -fstack-protector flag. since it doesnt use any stack, no SSP markings will be added. so if the toolchain does not fully support SSP, the configure script will add the flag but the build will ultimately fail. a better test case seems to be: #include <stdio.h> int main(void){char foo[1024];return sprintf(foo, "moo cow");} patch: http://sources.gentoo.org/net-misc/openssh/files/openssh-5.1_p1-better-ssp-check.patch?rev=1.1
Created attachment 1579 [details] Fixed patch I think the referenced patch is incorrect: square brackets need escaping in autoconf, so the test program would always fail with a compile error. This patch uses autoconf "quadrigraph" escaping (don't ask) to avoid this.
oops, ignore the changes to Makefile.in in that diff - they aren't supposed to be there.
(In reply to comment #1) > I think the referenced patch is incorrect: square brackets need > escaping in autoconf, so the test program would always fail with a > compile error. This patch uses autoconf "quadrigraph" escaping (don't > ask) to avoid this. Or you can just double up on the square brackets. More readable? +int main(void){char x[[256]]; snprintf(x, sizeof(x), "XXX"); return 0;}
Created attachment 1580 [details] simplified diff diff with Tim's suggestion and no extraneous crap
indeed ... i should have checked the config.log rather than just verifying that SSP was detected as not supported
patch applied, will be in openssh-5.2. Thanks!
Close bugs fixed/reviewed for openssh-5.2 release