On 04/11/2011 03:45 PM, Ben Eisenbraun wrote:
On Mon, Apr 11, 2011 at 03:32:15PM -0400, Leonid Flaks wrote:
And if that's the goal and the libgomp.so.3 that's distributed with Coot is
That should be libgmp, libgomp.
Natch.
And now once this vulnerability is well documented on a public list, a
very talented teenager from (put any country name here) will put some
code up to exploit it - just give google crowler a few days to index the
list. After that it would not matter if you use selinux or not. What
would matter is if you use this broken library or not.
There's no guarantee that there's insecure code in libgmp, so I don't think
it qualifies as a vulnerability.
As a possibly strange data point, none of the libgmp.so.3.4.4 libraries
distributed with the versions of Coot that I have installed require execstack:
$ sblocate -p libgmp.so.3.4.4 | grep i386-linux/coot | xargs -n 1 execstack -q
- /programs/i386-linux/coot/0.6.1/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.1-x86_64/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3291-x86_64/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3291-x86_64-rh4/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3334/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3334-x86_64/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3440/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3440-x86_64/lib/libgmp.so.3.4.4
-ben
--
| Ben Eisenbraun
| SBGrid Consortium | http://sbgrid.org |
| Harvard Medical School | http://hms.harvard.edu |
Ben, do you have version 3.3 of this library?
In my case binary came with both 3.3 and 3.4. Only 3.3 had this flag
set, 3.4 is good. I used rev 3455 built for CentOS -64 but with python
and gtk, same problem was on an earlier build.
--
Leonid Flaks
Phone: (631) 344-2682
Fax : (631) 344-2741
