On Mon, Jan 04, 2010 at 01:20:33AM -0800, Kees Cook wrote:
> Package: eglibc
> Version: 2.10.2-3
> Severity: normal
> Tags: patch
> User: ubuntu-de...@lists.ubuntu.com
> Usertags: origin-ubuntu lucid ubuntu-patch
> As more packages (perhaps all!) start using either hardening-wrapper
> or the hardening-includes packages to gain the -D_FORTIFY_SOURCE=2 and
> -fstack-protector compiler flags, it starts becoming important to handle
> a number of special cases that upstream glibc either hasn't acted on or
> has inappropriately rejected.
> I would like to include the following patches that Ubuntu has carried for
> several releases now. (Note that submitted-leading-zero-stack-guard.diff
> will need to be adjusted slightly if stack-guard-quick-randomization.diff
> is not applied.)
I have applied the two stack protection patches in the Debian package,
but not the two other ones. See my comments below.
> The sprintf function used when -D_FORTIFY_SOURCE=2 is used incorrectly
> pre-truncates the destination buffer; this changes the long-standing
> expectation of sprintf(foo,"%sbaz",foo) to work. See the patch for
> further discussion.
As explained in the bug report, this code is not valid anyway. If we
want people to fix their code, we should not workaround the issue. Also
I am not able to evaluate the impact on the fix, and don't know if it
may introduce a security bug.
> Again, patch contains discussion, but basically, this disables a
> useless and noisy warning that -D_FORTIFY_SOURCE=2 triggers.
I think people should either not use -D_FORTIFY_SOURCE=2 or fix their
code. This is a warning anyway. I agree an error can happens up to the
fclose() call, but it's not an excuse to not check possible errors at
the fwrite() level. The real bug is actually that fclose() is not marked
__wur, and that's probably what has to be fixed.
Aurelien Jarno GPG: 1024D/F1BCDB73
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org