One of the best ways to improve the security of a distribution, is improvements in the compiler for detecting bugs that could potentially lead to exploits.
At Fedora, whenever a new compiler check gets written we like to rebuild the entire distribution finding and fixing these issues.
Enable “-Werror=format-security” compilation flag
All packages in Fedora 21 were rebuild with the -Werror=format-security switch, This flag causes GCC will refuse to compile code that could be vulnerable to a Uncontrolled format string security flaw.
Wikipedia describes a Uncontrolled Format flaw as:
Uncontrolled format string is a type of software vulnerability, discovered around 1999, that can be used in security exploits. Previously thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write the number of bytes formatted to an address stored on the stack.
The GCC man page describes the option:
man gcc ... -Wformat-security If -Wformat is specified, also warn about uses of format functions that represent possible security problems. At present, this warns about calls to "printf" and "scanf" functions where the format string is not a string literal and there are no format arguments, as in "printf (foo);". This may be a security hole if the format string came from untrusted input and contains %n. (This is currently a subset of what -Wformat-nonliteral warns about, but in future warnings may be added to -Wformat-security that are not included in -Wformat-nonliteral.)
This change caused packages to fix many many potential bugs/exploits, improving the overall security of Fedora.
In the past I have written this blog at danwalsh.livejournal.com. I have been asked to move it here since it is Fedora Specific. If you have ideas or comments on things I have missed in the series, please send mail to email@example.com and I will look into adding these.