oss-security - Re: Alleged libstdc++ vulnerabilities

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 14 Aug 2015 18:55:01 +0100
From: Jonathan Wakely <jwakely.gcc@...il.com>
To: Florian Weimer <fweimer@...hat.com>
Cc: "libstdc++" <libstdc++@....gnu.org>, oss-security@...ts.openwall.com
Subject: Re: Alleged libstdc++ vulnerabilities

On 14 August 2015 at 18:49, Florian Weimer wrote:
> Does anybody know what this is about and can point to the relevant PRs?
>
> “discovered serious security bugs in […] libstdc++”
>
> <http://www.news.gatech.edu/2015/08/13/georgia-tech-finds-11-security-flaws-popular-internet-browsers-using-new-analysis-method>
>
> The USENIX paper
> <https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lee.pdf>
> does not back up this claim.

The paper abstract says "discovered 11 previously unknown security vulnera-
bilities: nine in GNU libstdc++ and two in Firefox, all of which have
been confirmed and subsequently fixed by vendors. "

I guess they are referring to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.