| 1 |
On Wed, Sep 22, 2004 at 08:11:54PM -0400, Ned Ludd wrote: |
| 2 |
> |
| 3 |
> Yes. Our security team has currently done 141 GLSA's this year alone. |
| 4 |
> 42 of which match the string overflow. |
| 5 |
> |
| 6 |
> Only 1 of those does not play along with -fstack-protector that I'm |
| 7 |
> aware of and that's being worked on currently. |
| 8 |
> |
| 9 |
|
| 10 |
Maybe it would be a good idea to add additional info in the GLSA |
| 11 |
about the vulunerability if you use "-fstack-protector". |
| 12 |
(Sorry if that's already the case but i can't remember seeing |
| 13 |
it) |
| 14 |
|
| 15 |
Ofcourse this can be dangerous because lazy people stop updating |
| 16 |
the software because they feel safe which is totaly wrong. |
| 17 |
|
| 18 |
Maybe some very carefull neutral hint would help. |
| 19 |
|
| 20 |
I would use such information to decide if i should go and fix |
| 21 |
something at 3am or go to bed and fix it 6h later after i wake |
| 22 |
up. |
| 23 |
|
| 24 |
The main goal would be some advertisement for -fstack-protector. |
| 25 |
|
| 26 |
Just an idea. I'm not even sure if i like it myself :) |
| 27 |
|
| 28 |
|
| 29 |
Christian |
| 30 |
|
| 31 |
-- |
| 32 |
gentoo-dev@g.o mailing list |
Archives