Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Nov 2017 15:32:28 -0600
From: John Lightsey <jd@...nel.net>
To: oss-security@...ts.openwall.com
Subject: Re: phusion passenger CVE-2017-1000384

On 11/17/17 3:19 PM, Jakub Wilk wrote:
> * John Lightsey <jd@...nel.net>, 2017-11-17, 14:58:
>> https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
>>
> 
> This adds:
> 
>   #ifdef false
>   ...
>   #endif
> 
> But false _is_ a defined macro in this file, so this doesn't disable the
> code inside. I guess they meant to write:
> 
>   #if false
>   ...
>   #endif
> 

True enough. The removal of the call to inferApplicationInfo() is the
key part of the change.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ