Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20101025032602.GA29006@openwall.com>
Date: Mon, 25 Oct 2010 07:26:02 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: glibc $ORIGIN problem - CVE-2010-3847

Hi,

This was discussed off-list before, but just to have it more widely
known/available - distros are welcome to reuse our sanitize-env patch
from Owl:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/glibc-2.3.5-owl-alt-sanitize-env.diff

or perhaps a revision of it forward-ported to current glibc in ALT's
package.  Here's a relevant commit:

http://git.altlinux.org/people/ldv/packages/?p=glibc.git;a=commitdiff;h=64963eb224c9

Perhaps further changes were made to some of the patched files in
Dmitry's repository above (the commit is a bit dated, whereas the
current tree is based on glibc 2.11.2).  Dmitry, you could want to
comment on that.

These changes, being a result of exhaustive review of glibc for env var
uses, might also provide further inspiration for more attacks on glibc
(without our patch).

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.