Date: Mon, 25 Oct 2010 07:26:02 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: glibc $ORIGIN problem - CVE-2010-3847 Hi, This was discussed off-list before, but just to have it more widely known/available - distros are welcome to reuse our sanitize-env patch from Owl: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/glibc-2.3.5-owl-alt-sanitize-env.diff or perhaps a revision of it forward-ported to current glibc in ALT's package. Here's a relevant commit: http://git.altlinux.org/people/ldv/packages/?p=glibc.git;a=commitdiff;h=64963eb224c9 Perhaps further changes were made to some of the patched files in Dmitry's repository above (the commit is a bit dated, whereas the current tree is based on glibc 2.11.2). Dmitry, you could want to comment on that. These changes, being a result of exhaustive review of glibc for env var uses, might also provide further inspiration for more attacks on glibc (without our patch). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.