From 10d3603ffac70845528ca9de36d0ec8c0e523237 Mon Sep 17 00:00:00 2001
From: Philip Kaufmann <phil.kaufmann@t-online.de>
Date: Fri, 12 Oct 2012 22:05:48 +0200
Subject: [PATCH 1/2] Bitcoin-Qt: add new GCC compiler hardening options

- this patch enables several new GCC compiler hardening options that
  allows us to increase the security of our binaries (see:
  https://wiki.debian.org/Hardening)

-D_FORTIFY_SOURCE=2:
Enables compile-time protection against static sized buffer overflows.

-Wl,-z,relro -Wl,-z,now:
Enables full RELRO (RELocation Read-Only), which is a generic mitigation
technique to harden the data sections of an ELF binary/process. See:
http://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/ for
further details.
---
 bitcoin-qt.pro | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/bitcoin-qt.pro b/bitcoin-qt.pro
index 8aceb0390..e71bb5fa8 100644
--- a/bitcoin-qt.pro
+++ b/bitcoin-qt.pro
@@ -38,6 +38,8 @@ QMAKE_LFLAGS *= -fstack-protector-all --param ssp-buffer-size=1
 # We need to exclude this for Windows cross compile with MinGW 4.2.x, as it will result in a non-working executable!
 # This can be enabled for Windows, when we switch to MinGW >= 4.4.x.
 }
+# for extra security (see: https://wiki.debian.org/Hardening)
+QMAKE_CXXFLAGS *= -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now
 # for extra security on Windows: enable ASLR and DEP via GCC linker flags
 win32:QMAKE_LFLAGS *= -Wl,--dynamicbase -Wl,--nxcompat
 

From 493940038f44412ece135e1a625499ea89a93e56 Mon Sep 17 00:00:00 2001
From: Philip Kaufmann <phil.kaufmann@t-online.de>
Date: Sat, 13 Oct 2012 10:25:17 +0200
Subject: [PATCH 2/2] Bitcoin-Qt: remove unneeded "--param ssp-buffer-size=1"
 flag

- that flag is not needed when using "-fstack-protector-all", so remove it
  (see:
  http://stackoverflow.com/questions/1629685/when-and-how-to-use-gccs-stack-protection-feature)
---
 bitcoin-qt.pro | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bitcoin-qt.pro b/bitcoin-qt.pro
index e71bb5fa8..8a5db2254 100644
--- a/bitcoin-qt.pro
+++ b/bitcoin-qt.pro
@@ -33,8 +33,8 @@ contains(RELEASE, 1) {
 
 !win32 {
 # for extra security against potential buffer overflows: enable GCCs Stack Smashing Protection
-QMAKE_CXXFLAGS *= -fstack-protector-all --param ssp-buffer-size=1
-QMAKE_LFLAGS *= -fstack-protector-all --param ssp-buffer-size=1
+QMAKE_CXXFLAGS *= -fstack-protector-all
+QMAKE_LFLAGS *= -fstack-protector-all
 # We need to exclude this for Windows cross compile with MinGW 4.2.x, as it will result in a non-working executable!
 # This can be enabled for Windows, when we switch to MinGW >= 4.4.x.
 }