Date: Fri, 16 Sep 2016 08:55:29 -0700 (PDT) From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Subject: Fwd: CVE-2016-7420 and dev-brach 'trap' ready for testing The improved code should be available in Master in the next few days. After about three or four weeks we will release Crypto++ 5.6.5. The decision to release Crypto++ 5.6.5 was driven by Error Reporting services like Apport, CrashReporter and WER; and company's like Apple, Google and Microsoft's cooperation with governments to mine sensitive information. On Friday, September 16, 2016 at 11:51:36 AM UTC-4, Jeffrey Walton wrote: > > Hi Everyone, > > CVE-2016-7420 caused us to cut-in CRYPTOPP_ASSERT a little earlier than > expected. <trap.h> and CRYPTOPP_ASSERT have existed in Master for over a > year. We set up a dev-branch called 'trap' to isolate the cut-in during > testing. > > The cut-over to CRYPTOPP_ASSERT occurred at > https://github.com/weidai11/cryptopp/commit/399a1546de71f41598c15edada28e7f0d616f541 > . It tested OK under modern versions of Clang, CGG, Solaris and Visual > Studio. > > The defining factor of CRYPTOPP_ASSERT is it abandons Posix NDEBUG, which > we used to rely upon to remove asserts. We switched strategies, and now we > enable CRYPTOPP_ASSERT if any the following are defined: CRYPTOPP_DEBUG, > DEBUG, _DEBUG. This strategy side steps bad release/production > configurations due to policy (Debian never defines NDEBUG) and > errors/omissions (users or Autotools or CMake or Eclipse <other build > system> fails to define NDEBUG). > > CRYPTOPP_ASSERT also adds a nice feature: it raises SIGTRAP rather than > SIGABRT. SIGABRT will snap the debugger, if present. And it won't follow > Posix's idiotic footsteps and crash the program with a SIGABRT while a > developer is debugging it. > > The last two, DEBUG and _DEBUG, are set in Visual Studio projects by > Microsoft; and they cause CRYPTOPP_DEBUG to be set automatically. BSD, > Linux, Solaris and Unix user will have to -DCRYPTOPP_DEBUG=1 or uncomment > CRYPTOPP_DEBUG in config.h. > > If all goes well with testing, then we will merge Trap dev-branch into > Master this weekend or early next week. Our test script takes two or three > days to run on IoT gadets like BeableBoards and CubieTrucks, so the > earliest we can merge will be late Saturday or Sunday. > > Jeff > [ CONTENT OF TYPE text/html SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ