Date: Thu, 2 Sep 2010 17:56:39 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org Subject: Re: CVE id request: libc fortify source information disclosure On Tue, 31 Aug 2010 16:02:14 -0400 (EDT) Steven M. Christey wrote: > The risk may be very minimal, but the FORTIFY_SOURCE protection > mechanism is not working "as advertised" - it can be manipulated for > an admittedly-small information leak. For the sake of correctness, protective technology that kicks in in the Dan's example is stack protector, not FORTIFY_SOURCE. Though it's probably still glibc to blame for using the same error-reporting function in both cases. On Wed, 25 Aug 2010 21:49:20 +0200 Nico Golde wrote: > As this also works for setuid programs it would be nice to get one > assigned and have this patched. It seems the fix would need to remove all possibly-useful info from the error message. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.