On Tue, August 8, 2006 15:25, Robert Connolly wrote: > On Tuesday 08 August 2006 13:27, thorsten wrote: > >> Ok, I forgot -no-pie which prevented the shell to be launched. SSP does >> NOT prevent the format string exploit! >> > > Thank you for verifying this. > > > Libsafe is lgpl. Traditionally libsafe is preloaded, via > /etc/ld.so.preload, > which makes it fairly easy to bypass and vulnerable to environment > settings. I'm going to see about adding Libsafe to libc.so so it can't be > disabled so easily. However if I remember correctly it causes a few > Binutils tests to > fail. Maybe there are alternative libraries to Libsafe too. It would be a > backup to Grsecurity in case Grsecurity is misconfigured, or disabled.
Libsafe didn't get updated in a very long time and also just got deleted from Freshmeat. Not sure how that will affect things or if it's going to break with some glibc update in the future (I'm not much of a programmer...) -- Regards Heiko Zuerker http://www.devil-linux.org -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
