oss-sec mailing list archives
Re: CVE id request: libc fortify source information disclosure
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 2 Sep 2010 17:56:39 +0200
On Tue, 31 Aug 2010 16:02:14 -0400 (EDT) Steven M. Christey wrote:
The risk may be very minimal, but the FORTIFY_SOURCE protection mechanism is not working "as advertised" - it can be manipulated for an admittedly-small information leak.
For the sake of correctness, protective technology that kicks in in the Dan's example is stack protector, not FORTIFY_SOURCE. Though it's probably still glibc to blame for using the same error-reporting function in both cases. On Wed, 25 Aug 2010 21:49:20 +0200 Nico Golde wrote:
As this also works for setuid programs it would be nice to get one assigned and have this patched.
It seems the fix would need to remove all possibly-useful info from the error message. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE id request: libc fortify source information disclosure Nico Golde (Aug 25)
- Re: CVE id request: libc fortify source information disclosure Josh Bressers (Aug 31)
- Re: CVE id request: libc fortify source information disclosure Steven M. Christey (Aug 31)
- Re: CVE id request: libc fortify source information disclosure Tomas Hoger (Sep 02)
- Re: CVE id request: libc fortify source information disclosure Dan Rosenberg (Sep 02)
- Re: CVE id request: libc fortify source information disclosure Tomas Hoger (Sep 02)
- Re: CVE id request: libc fortify source information disclosure Dan Rosenberg (Sep 02)
- Re: CVE id request: libc fortify source information disclosure Steven M. Christey (Aug 31)
- Re: CVE id request: libc fortify source information disclosure Josh Bressers (Aug 31)