Date: Sun, 13 Jul 2014 12:39:21 +0200 From: Szabolcs Nagy <nsz@...t70.net> To: musl@...ts.openwall.com Cc: Isaac Dunham <ibid.ag@...il.com>, Bob Beck <beck@...nbsd.org> Subject: Re: [PATCH] implement issetugid(2) * Brent Cook <busterb@...il.com> [2014-07-12 23:23:14 +0200]: > Compile-time tests were ruled out because static libraries can be built against a safe libc, then linked to an app that uses an unsafe libc, causing a vulnerability. > in general a static lib cannot verify the safety of the libc that will be used with it so while i understand the concern i think it's futile trying to work this around in the lib i see that issetugid is needed because there are many getenv calls in openssl, glibc has secure_getenv for this (which can be added to musl too i think) so that might be another approach that works on linux
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.