Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 24 Oct 2014 16:56:11 -0700
From: Tavis Ormandy <>
To: Michal Zalewski <>
Cc: oss-security <>
Subject: Re: strings / libbfd crasher

On 24 October 2014 13:31, Michal Zalewski <> wrote:
> [+Tavis]
>>> I don't understand the user benefit of extracting strings only from
>>> certain sections of executables, and I almost feel like it's a side
>>> effect of strings being a part of binutils more than anything else.
>> I fully agree. I wasn't aware strings does any kind of executable
>> parsing and I was very surprised that there is any attack vector at all
>> against it at all.
> Tavis mentioned to me some time ago that he made that suggestion
> upstream when he bumped into other issues many years ago; he can
> probably comment on how that went, but more generally, distro vendors
> have some latitude to apply non-upstream patches to change the default
> behavior... maybe that's the way to go.
> /mz

Yeah, `strings -a` is closer to what people expect by default - most
people find the section parsing a surprise. I found this one 10 years
ago, and suggested at
the time that maybe `strings -a` should be the default mode, enabling
bfd parsing only when requested.

This was dismissed by upstream, but I still think it's a good idea...


------------------------------------- | pgp encrypted mail preferred

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ