Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 16 Sep 2016 08:55:29 -0700 (PDT)
From: Jeffrey Walton <>
Subject: Fwd: CVE-2016-7420 and dev-brach 'trap' ready for testing

The improved code should be available in Master in the next few days. After 
about three or four weeks we will release Crypto++ 5.6.5.

The decision to release Crypto++ 5.6.5 was driven by Error Reporting 
services like Apport, CrashReporter and WER; and company's like Apple, 
Google and Microsoft's cooperation with governments to mine sensitive 

On Friday, September 16, 2016 at 11:51:36 AM UTC-4, Jeffrey Walton wrote:
> Hi Everyone,
> CVE-2016-7420 caused us to cut-in CRYPTOPP_ASSERT a little earlier than 
> expected. <trap.h> and CRYPTOPP_ASSERT have existed in Master for over a 
> year. We set up a dev-branch called 'trap' to isolate the cut-in during 
> testing.
> The cut-over to CRYPTOPP_ASSERT occurred at 
> . It tested OK under modern versions of Clang, CGG, Solaris and Visual 
> Studio.
> The defining factor of CRYPTOPP_ASSERT is it abandons Posix NDEBUG, which 
> we used to rely upon to remove asserts. We switched strategies, and now we 
> enable CRYPTOPP_ASSERT if any the following are defined: CRYPTOPP_DEBUG, 
> DEBUG, _DEBUG. This strategy side steps bad release/production 
> configurations due to policy (Debian never defines NDEBUG) and 
> errors/omissions (users or Autotools or CMake or Eclipse <other build 
> system> fails to define NDEBUG).
> CRYPTOPP_ASSERT also adds a nice feature: it raises SIGTRAP rather than 
> SIGABRT. SIGABRT will snap the debugger, if present. And it won't follow 
> Posix's idiotic footsteps and crash the program with a SIGABRT while a 
> developer is debugging it.
> The last two, DEBUG and _DEBUG, are set in Visual Studio projects by 
> Microsoft; and they cause CRYPTOPP_DEBUG to be set automatically. BSD, 
> Linux, Solaris and Unix user will have to -DCRYPTOPP_DEBUG=1 or uncomment 
> CRYPTOPP_DEBUG in config.h.
> If all goes well with testing, then we will merge Trap dev-branch into 
> Master this weekend or early next week. Our test script takes two or three 
> days to run on IoT gadets like BeableBoards and CubieTrucks, so the 
> earliest we can merge will be late Saturday or Sunday.
> Jeff

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ