Date: Thu, 2 Sep 2010 17:56:39 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org Subject: Re: CVE id request: libc fortify source information disclosure On Tue, 31 Aug 2010 16:02:14 -0400 (EDT) Steven M. Christey wrote: > The risk may be very minimal, but the FORTIFY_SOURCE protection > mechanism is not working "as advertised" - it can be manipulated for > an admittedly-small information leak. For the sake of correctness, protective technology that kicks in in the Dan's example is stack protector, not FORTIFY_SOURCE. Though it's probably still glibc to blame for using the same error-reporting function in both cases. On Wed, 25 Aug 2010 21:49:20 +0200 Nico Golde wrote: > As this also works for setuid programs it would be nice to get one > assigned and have this patched. It seems the fix would need to remove all possibly-useful info from the error message. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ