Date: Fri, 17 Nov 2017 15:32:28 -0600 From: John Lightsey <jd@...nel.net> To: oss-security@...ts.openwall.com Subject: Re: phusion passenger CVE-2017-1000384 On 11/17/17 3:19 PM, Jakub Wilk wrote: > * John Lightsey <jd@...nel.net>, 2017-11-17, 14:58: >> https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf >> > > This adds: > > #ifdef false > ... > #endif > > But false _is_ a defined macro in this file, so this doesn't disable the > code inside. I guess they meant to write: > > #if false > ... > #endif > True enough. The removal of the call to inferApplicationInfo() is the key part of the change. Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ