| 1 |
> I didn't test that patch; even if it's incorrect, bugreport is not about |
| 2 |
> a patch. It's about a security issue. |
| 3 |
|
| 4 |
Well, the bug report is about the patch. There's another bug about the |
| 5 |
issues with LD_AUDIT: https://bugs.gentoo.org/show_bug.cgi?id=341755 |
| 6 |
|
| 7 |
> This proof-of-concept exploit still works in gentoo (amd64 stable at least, |
| 8 |
> even hardened!), because some dangerous variables are not filtered out. |
| 9 |
|
| 10 |
It still works because glibc-2.11.2-r2 with the fix is still keyworded |
| 11 |
(yeah, epic fail goes on). |
Archives