Just to state the obvious, the LD_PRELOAD risk does not go away when you don’t use the feature. I think this scan result should be ignored (at best). It is more a weakness of the Linux bintools/ld and not your extension.
(In normal usage there is no risk as an attacker who can modify the environment variable of a user also can execute malicious code directly, however there have been problems with environment variable handling in su, cgi and sshd in the past, so it might be worth not forgetting about it) Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: security-dev <security-dev-boun...@openjdk.java.net> im Auftrag von Christian Heinrich <christian.heinr...@cmlh.id.au> Gesendet: Dienstag, April 16, 2019 2:55 AM An: Hank Edwards Cc: security-dev@openjdk.java.net Betreff: Re: JNI Signal Chaining and OWASP (Security) Hank, On Fri, 12 Apr 2019 at 09:41, Hank Edwards <hedwa...@crawfordtech.com> wrote: >We've recently discovered that the use of C is considered a code injection >risk by security analysis tools, such as ones that check for OWASP 2017. I contribute to https://github.com/OWASP/Top10/pull/450 Can you please disclose the specific candidate[s] your security analysis tool has cited within the OWASP Top Ten 2017 release? -- Regards, Christian Heinrich http://cmlh.id.au/contact
