** Description changed: glibc's SSP implementation is using only the static 0xff0a0000 guard value. Fedora has been carrying an unupstreamed glibc patch for 3 years to make this relatively random. (see _dl_setup_stack_chk_guard): http://cvs.fedora.redhat.com/viewvc/devel/glibc/glibc-fedora.patch?revision=1.283&view=markup + + TEST CASE: + bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing + cd qa-regression-testing/scripts + sudo apt-get install lsb-release build-essential + ./test-glibc-security.py -v + + EXPECTED: + Build helper tools ... (8.04) ok + glibc heap protection ... ok + sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... (skipped: Hardy known broken) ok + glibc pointer obfuscation ... ok + Password hashes ... (md5) ok + Stack guard exists ... ok + Stack guard leads with zero byte ... ok + Stack guard is randomized ... ok + + CURRENTLY: + Stack guard is randomized ... FAIL + + ====================================================================== + FAIL: Stack guard is randomized + ---------------------------------------------------------------------- + Traceback (most recent call last): + File "./test-glibc-security.py", line 199, in test_82_stack_guard_randomized + self.assertEqual(one != two and one != three and two != three, expected, one + two + three) + AssertionError: 0xff0a0000 + 0xff0a0000 + 0xff0a0000
** Description changed: glibc's SSP implementation is using only the static 0xff0a0000 guard value. Fedora has been carrying an unupstreamed glibc patch for 3 years to make this relatively random. (see _dl_setup_stack_chk_guard): http://cvs.fedora.redhat.com/viewvc/devel/glibc/glibc-fedora.patch?revision=1.283&view=markup + + statement explaining the impact: stack overflow attacks are easier to launch when the stack guard is a known value. + how the bug has been addressed: Fedora patch ported in Intrepid, Jaunty. Karmic uses AT_RANDOM. + regression potential: comparing build log output shows no differences -- all tests seem to pass: + https://edge.launchpad.net/~kees/+archive/ppa/+build/1159081 + TEST CASE: bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing cd qa-regression-testing/scripts sudo apt-get install lsb-release build-essential ./test-glibc-security.py -v EXPECTED: Build helper tools ... (8.04) ok glibc heap protection ... ok sprintf not pre-truncated with -D_FORTIFY_SOURCE=2 ... (skipped: Hardy known broken) ok glibc pointer obfuscation ... ok Password hashes ... (md5) ok Stack guard exists ... ok Stack guard leads with zero byte ... ok Stack guard is randomized ... ok CURRENTLY: Stack guard is randomized ... FAIL ====================================================================== FAIL: Stack guard is randomized ---------------------------------------------------------------------- Traceback (most recent call last): File "./test-glibc-security.py", line 199, in test_82_stack_guard_randomized self.assertEqual(one != two and one != three and two != three, expected, one + two + three) AssertionError: 0xff0a0000 0xff0a0000 0xff0a0000 -- stack protector guard value uses a static sentinel https://bugs.launchpad.net/bugs/275493 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
