Date: Tue, 03 Feb 2015 22:34:14 -0500 From: Daniel Micay <danielmicay@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: heap buffer overflow in glibc swscanf > Here, it seems that the goal of the policy is risk management for use > of alloca. This is security relevant for some applications that use > glibc, because it could (for example) allow a denial of service attack > that's intended to trigger a failed alloca. There was one intended > policy, and the the incorrect "__libc_use_alloca (newsize)" caused a > different (and weaker) policy to be enforced instead. > > Use CVE-2015-1473 for this risk-management error. alloca isn't checked if -fstack-check isn't used, and most distributions don't use it. There's a good chance that a guard page will be hit but no guarantee without -fstack-check. Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.