oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE id request: libc fortify so

Re: [oss-security] CVE id request: libc fortify source information disclosure

From: Tomas Hoger <thoger_at_nospam>
Date: Thu Sep 02 2010 - 15:56:39 GMT
To: oss-security@lists.openwall.com

On Tue, 31 Aug 2010 16:02:14 -0400 (EDT) Steven M. Christey wrote:

> The risk may be very minimal, but the FORTIFY_SOURCE protection
> mechanism is not working "as advertised" - it can be manipulated for
> an admittedly-small information leak.

For the sake of correctness, protective technology that kicks in in the
Dan's example is stack protector, not FORTIFY_SOURCE. Though it's
probably still glibc to blame for using the same error-reporting
function in both cases.

On Wed, 25 Aug 2010 21:49:20 +0200 Nico Golde wrote:

> As this also works for setuid programs it would be nice to get one
> assigned and have this patched.

It seems the fix would need to remove all possibly-useful info from the
error message.

-- Tomas Hoger / Red Hat Security Response Team