On Mon, Jan 04, 2010 at 01:20:33AM -0800, Kees Cook wrote: > Package: eglibc > Version: 2.10.2-3 > Severity: normal > Tags: patch > User: ubuntu-de...@lists.ubuntu.com > Usertags: origin-ubuntu lucid ubuntu-patch > > Hello!
Hi > As more packages (perhaps all!) start using either hardening-wrapper > or the hardening-includes packages to gain the -D_FORTIFY_SOURCE=2 and > -fstack-protector compiler flags, it starts becoming important to handle > a number of special cases that upstream glibc either hasn't acted on or > has inappropriately rejected. > > I would like to include the following patches that Ubuntu has carried for > several releases now. (Note that submitted-leading-zero-stack-guard.diff > will need to be adjusted slightly if stack-guard-quick-randomization.diff > is not applied.) I have applied the two stack protection patches in the Debian package, but not the two other ones. See my comments below. > no-sprintf-pre-truncate.diff > The sprintf function used when -D_FORTIFY_SOURCE=2 is used incorrectly > pre-truncates the destination buffer; this changes the long-standing > expectation of sprintf(foo,"%sbaz",foo) to work. See the patch for > further discussion. As explained in the bug report, this code is not valid anyway. If we want people to fix their code, we should not workaround the issue. Also I am not able to evaluate the impact on the fix, and don't know if it may introduce a security bug. > local-fwrite-no-attr-unused.diff > Again, patch contains discussion, but basically, this disables a > useless and noisy warning that -D_FORTIFY_SOURCE=2 triggers. I think people should either not use -D_FORTIFY_SOURCE=2 or fix their code. This is a warning anyway. I agree an error can happens up to the fclose() call, but it's not an excuse to not check possible errors at the fwrite() level. The real bug is actually that fclose() is not marked __wur, and that's probably what has to be fixed. -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org