We're in the process of going through our security checklists, and I've noticed the iMX codec package we are pulling in contains binaries that aren't complied with many of the compilation options available to reduce the impact of potential vulnerabilities in the code. Would it be possible to release a version with hardening enabled?
We'd be looking for:
This option provides buffer overflow checks when using functions such as sprintf, strcat, strcpy, etc, which are used by various components of imx-codec.
On armv8, this enables stack sentinels that help prevent stack overflow attacks from becoming remote code execution exploits.
Ensuring code is complied with PIE (position independent code) helps mitigate attacks as the address space can be randomized at load time.
I'd also like to request
- -Wformat -Wformat-security -Werror=format-security
This helps ensure that code with printf formatting errors doesn't compile. (https://fedoraproject.org/wiki/Format-Security-FAQ)
