1 |
On Wed, Sep 22, 2004 at 08:11:54PM -0400, Ned Ludd wrote: |
2 |
> |
3 |
> Yes. Our security team has currently done 141 GLSA's this year alone. |
4 |
> 42 of which match the string overflow. |
5 |
> |
6 |
> Only 1 of those does not play along with -fstack-protector that I'm |
7 |
> aware of and that's being worked on currently. |
8 |
> |
9 |
|
10 |
Maybe it would be a good idea to add additional info in the GLSA |
11 |
about the vulunerability if you use "-fstack-protector". |
12 |
(Sorry if that's already the case but i can't remember seeing |
13 |
it) |
14 |
|
15 |
Ofcourse this can be dangerous because lazy people stop updating |
16 |
the software because they feel safe which is totaly wrong. |
17 |
|
18 |
Maybe some very carefull neutral hint would help. |
19 |
|
20 |
I would use such information to decide if i should go and fix |
21 |
something at 3am or go to bed and fix it 6h later after i wake |
22 |
up. |
23 |
|
24 |
The main goal would be some advertisement for -fstack-protector. |
25 |
|
26 |
Just an idea. I'm not even sure if i like it myself :) |
27 |
|
28 |
|
29 |
Christian |
30 |
|
31 |
-- |
32 |
gentoo-dev@g.o mailing list |