Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 13 Jul 2014 12:39:21 +0200
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Cc: Isaac Dunham <ibid.ag@...il.com>, Bob Beck <beck@...nbsd.org>
Subject: Re: [PATCH] implement issetugid(2)

* Brent Cook <busterb@...il.com> [2014-07-12 23:23:14 +0200]:
> Compile-time tests were ruled out because static libraries can be built against a safe libc, then linked to an app that uses an unsafe libc, causing a vulnerability.
> 

in general a static lib cannot verify the safety of the libc
that will be used with it so while i understand the concern
i think it's futile trying to work this around in the lib

i see that issetugid is needed because there are many getenv
calls in openssl, glibc has secure_getenv for this (which
can be added to musl too i think) so that might be another
approach that works on linux

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.