1 |
Systems compiled with -D_Fortify_source=2 are not vulnerable. If I'm not |
2 |
wrong it's a format string vulnerability. |
3 |
|
4 |
2012/1/31 RB <aoz.syn@×××××.com> |
5 |
|
6 |
> Not sure how much testing anyone else has done (and it warrants more |
7 |
> testing), but I just tested this on a rather out-of-date machine |
8 |
> running hardened-sources-3.0.4 and sudo-1.8.2-r1. I had brute-force |
9 |
> prevention enabled, and not only was the vulnerability not successful, |
10 |
> I was locked out from all execution under my UID for 15 minutes - |
11 |
> couldn't even su over from root. Definite win for hardened! |
12 |
> |
13 |
> |