Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20100902175639.07169083@redhat.com>
Date: Thu, 2 Sep 2010 17:56:39 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Re: CVE id request: libc fortify source information
 disclosure

On Tue, 31 Aug 2010 16:02:14 -0400 (EDT) Steven M. Christey wrote:

> The risk may be very minimal, but the FORTIFY_SOURCE protection
> mechanism is not working "as advertised" - it can be manipulated for
> an admittedly-small information leak.

For the sake of correctness, protective technology that kicks in in the
Dan's example is stack protector, not FORTIFY_SOURCE.  Though it's
probably still glibc to blame for using the same error-reporting
function in both cases.


On Wed, 25 Aug 2010 21:49:20 +0200 Nico Golde wrote:

> As this also works for setuid programs it would be nice to get one
> assigned and have this patched.

It seems the fix would need to remove all possibly-useful info from the
error message.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.