Date: Mon, 23 May 2011 08:39:51 +0200 From: Sebastian Krahmer <krahmer@...e.de> To: oss-security@...ts.openwall.com Subject: Re: Multiple libraries privilege checking On Thu, May 19, 2011 at 12:45:23AM +0400, Solar Designer wrote: > On Tue, May 17, 2011 at 01:18:33PM +0200, Sebastian Krahmer wrote: > > I uploaded a openssl-1.0.0d patch to > > > > http://suse.de/~krahmer/libs-vs-fscaps > > Thank you! > > > The prefered way is to check the dumpable flag via prctl() which > > is detected by the config script. > > This is fail-open (at build time). If the -e "/usr/include/sys/prctl.h" > check somehow fails, we silently get an insecure build. Of course, Honestly, that was the easiest I could do in that time frame. The openssl config is a bit weird to me and the openssl project is not even providing distclean source tarballs for download (they contain symlinks etc.). It is also rather meant as a help for upstream which they could use as a base. I am sure they know better how to combine it with their config scripts and I am happy with changes as long as our resulting binary contains the hardening. I will try to ping the openssl developers about it. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team --- SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ