Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 16 Sep 2016 08:55:29 -0700 (PDT)
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: CVE-2016-7420 and dev-brach 'trap' ready for testing

The improved code should be available in Master in the next few days. After 
about three or four weeks we will release Crypto++ 5.6.5.

The decision to release Crypto++ 5.6.5 was driven by Error Reporting 
services like Apport, CrashReporter and WER; and company's like Apple, 
Google and Microsoft's cooperation with governments to mine sensitive 
information.

On Friday, September 16, 2016 at 11:51:36 AM UTC-4, Jeffrey Walton wrote:
>
> Hi Everyone,
>
> CVE-2016-7420 caused us to cut-in CRYPTOPP_ASSERT a little earlier than 
> expected. <trap.h> and CRYPTOPP_ASSERT have existed in Master for over a 
> year. We set up a dev-branch called 'trap' to isolate the cut-in during 
> testing.
>
> The cut-over to CRYPTOPP_ASSERT occurred at 
> https://github.com/weidai11/cryptopp/commit/399a1546de71f41598c15edada28e7f0d616f541 
> . It tested OK under modern versions of Clang, CGG, Solaris and Visual 
> Studio.
>
> The defining factor of CRYPTOPP_ASSERT is it abandons Posix NDEBUG, which 
> we used to rely upon to remove asserts. We switched strategies, and now we 
> enable CRYPTOPP_ASSERT if any the following are defined: CRYPTOPP_DEBUG, 
> DEBUG, _DEBUG. This strategy side steps bad release/production 
> configurations due to policy (Debian never defines NDEBUG) and 
> errors/omissions (users or Autotools or CMake or Eclipse <other build 
> system> fails to define NDEBUG).
>
> CRYPTOPP_ASSERT also adds a nice feature: it raises SIGTRAP rather than 
> SIGABRT. SIGABRT will snap the debugger, if present. And it won't follow 
> Posix's idiotic footsteps and crash the program with a SIGABRT while a 
> developer is debugging it.
>
> The last two, DEBUG and _DEBUG, are set in Visual Studio projects by 
> Microsoft; and they cause CRYPTOPP_DEBUG to be set automatically. BSD, 
> Linux, Solaris and Unix user will have to -DCRYPTOPP_DEBUG=1 or uncomment 
> CRYPTOPP_DEBUG in config.h.
>
> If all goes well with testing, then we will merge Trap dev-branch into 
> Master this weekend or early next week. Our test script takes two or three 
> days to run on IoT gadets like BeableBoards and CubieTrucks, so the 
> earliest we can merge will be late Saturday or Sunday.
>
> Jeff
>

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ