| 1 |
Systems compiled with -D_Fortify_source=2 are not vulnerable. If I'm not |
| 2 |
wrong it's a format string vulnerability. |
| 3 |
|
| 4 |
2012/1/31 RB <aoz.syn@×××××.com> |
| 5 |
|
| 6 |
> Not sure how much testing anyone else has done (and it warrants more |
| 7 |
> testing), but I just tested this on a rather out-of-date machine |
| 8 |
> running hardened-sources-3.0.4 and sudo-1.8.2-r1. I had brute-force |
| 9 |
> prevention enabled, and not only was the vulnerability not successful, |
| 10 |
> I was locked out from all execution under my UID for 15 minutes - |
| 11 |
> couldn't even su over from root. Definite win for hardened! |
| 12 |
> |
| 13 |
> |
Archives