Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 May 2015 12:01:50 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Problems in automatic crash analysis frameworks

On Tue, May 5, 2015 at 5:17 AM, Florian Weimer <fweimer@...hat.com> wrote:
> On 04/23/2015 09:10 PM, Florian Weimer wrote:
>> On 04/17/2015 09:16 PM, Florian Weimer wrote:
>>> A quick update on the abrt situation.
>>
>> Another update.  We now have a public tracking bug listing the issues:
>>
>>   <https://bugzilla.redhat.com/show_bug.cgi?id=1214172>
>
>
> There is a public build (against EPEL7) of the consolidated fixes,
> available as a Copr repository:
>
>   <http://copr.fedoraproject.org/coprs/jfilak/abrt-hardened/>
>
> This also includes the consolidated fixes.
>
> At this stage, we'd appreciate additional comments/reviews.

Thanks Florian, this looks great. I'm just looking at the new ccpp, Is
it intentional that os-release and so on are still copied from the
process root? I realize now the dump directory is owned by root, so
there's no direct way to read it, but it seems like asking for trouble
to have a copy of /etc/shadow in there or something.

Tavis.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.