On Mon, Apr 11, 2011 at 03:32:15PM -0400, Leonid Flaks wrote: > >And if that's the goal and the libgomp.so.3 that's distributed with Coot is > That should be libgmp, libgomp.
Natch. > And now once this vulnerability is well documented on a public list, a > very talented teenager from (put any country name here) will put some > code up to exploit it - just give google crowler a few days to index the > list. After that it would not matter if you use selinux or not. What > would matter is if you use this broken library or not. There's no guarantee that there's insecure code in libgmp, so I don't think it qualifies as a vulnerability. As a possibly strange data point, none of the libgmp.so.3.4.4 libraries distributed with the versions of Coot that I have installed require execstack: $ sblocate -p libgmp.so.3.4.4 | grep i386-linux/coot | xargs -n 1 execstack -q - /programs/i386-linux/coot/0.6.1/lib/libgmp.so.3.4.4 - /programs/i386-linux/coot/0.6.1-x86_64/lib/libgmp.so.3.4.4 - /programs/i386-linux/coot/0.6.2-pre-1-r3291-x86_64/lib/libgmp.so.3.4.4 - /programs/i386-linux/coot/0.6.2-pre-1-r3291-x86_64-rh4/lib/libgmp.so.3.4.4 - /programs/i386-linux/coot/0.6.2-pre-1-r3334/lib/libgmp.so.3.4.4 - /programs/i386-linux/coot/0.6.2-pre-1-r3334-x86_64/lib/libgmp.so.3.4.4 - /programs/i386-linux/coot/0.6.2-pre-1-r3440/lib/libgmp.so.3.4.4 - /programs/i386-linux/coot/0.6.2-pre-1-r3440-x86_64/lib/libgmp.so.3.4.4 -ben -- | Ben Eisenbraun | SBGrid Consortium | http://sbgrid.org | | Harvard Medical School | http://hms.harvard.edu |
