Does Debian 6.0 (Squeeze) have buffer overflow protection mechanisms?

Question

My question is: Which buffer overflow / stack smashing defenses (if any) are enabled by default in Debian 6.0 (Squeeze)?

Ubuntu has a handy summary table showing the main security features of each Server edition release, but I haven't found something similar for Debian. Ubuntu mentions:

• Stack Protector (gcc's -fstack-protector)
• Heap Protector (GNU C Library heap protector)
• Pointer Obfuscation (Some pointers stored in glibc are obfuscated)
• Address Space Layout Randomisation (ASLR) (Stack ASLR; Libs/mmap ASLR; Exec ASLR; brk ASLR; VDSO ASLR)
• Several daemons built as Position Independent Executables (PIE)
• Some daemons (?) built with Fortify Source "-D_FORTIFY_SOURCE=2"

To which extent does Debian 6.0 use similar techniques (by default)?

Answer 1

Unfortunately most (all?) of these defenses are not enabled on Debian. They have talked about it for years and there was some "hardened debian" project, but it has not lead to anything concrete so far from user's perspective. It is one of the rare distros which have not implemented these measures yet.

There is some more information at http://wiki.debian.org/Hardening:

After their meeting on the 14-16 January 2011, the debian security team announced in an email they intend to push the inclusion of hardening features for the wheezy release. A Birds of a Feather-session will be organized during the 2011 debconf to setup a process.

The referenced email is here: http://lists.debian.org/debian-devel-announce/2011/01/msg00006.html.

So maybe it is finally coming in "wheezy"...

This is the biggest single reason why I personally prefer running Ubuntu over Debian on my servers.

Answer 2

If you need a package in Debian with special CFLAGS or config options, you can use apt-build. Gentoo or *BSD is a very good OS for this purposes.

I know this isn't a solution but is the better workaround now.