oss-sec mailing list archives
Re: libdbus hardening
From: Sebastian Krahmer <krahmer () suse de>
Date: Tue, 10 Jul 2012 16:11:12 +0200
I am fine with either solution and would prefer upstream patches anyway, but it turned out in past that nobody from upstream is willing to add such patches. I tried a year ago with openssl and AFAIK its still suffering (at least I never heared back). If you compile your openssh '--with-ssl-engine' you have an easy root exploit (given that ssh-keysign is mode 04755 such as on Debian) via OPENSSL_config(). If you ask me, thats quite poor for a framework that wants to add security to the system. So, I do not have any problems adding our own patch sets rather than waiting for another year. Another lib that should receive a patch is libudev. Sebastian On Tue, Jul 10, 2012 at 05:43:36PM +0400, Solar Designer wrote:
On Tue, Jul 10, 2012 at 03:13:55PM +0200, Florian Weimer wrote:Perhaps we can put a getenv_secure() into libc, which will perform all the appropriate checks (including future checks we do not know about yet)? Duplicating the code in many libraries does not seem prudent.We already have __secure_getenv() in glibc, which I think is what libraries like this should be using on systems with glibc. Apparently, it was even in LSB until 1.3 inclusive, but was since dropped from there? Alexander
-- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team --- SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
Current thread:
- libdbus hardening Sebastian Krahmer (Jul 10)
- Re: libdbus hardening Florian Weimer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening Florian Weimer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening Sebastian Krahmer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening yersinia (Jul 10)
- Re: libdbus hardening Sebastian Krahmer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening Sebastian Krahmer (Jul 10)
- Re: libdbus hardening Solar Designer (Jul 10)
- Re: libdbus hardening Florian Weimer (Jul 11)
- Re: libdbus hardening Florian Weimer (Jul 10)
- Re: libdbus hardening Tomas Hoger (Sep 13)
- Re: libdbus hardening Sebastian Krahmer (Jul 11)
- Re: libdbus hardening Solar Designer (Jul 11)
- Re: libdbus hardening yersinia (Jul 11)
- Re: libdbus hardening Solar Designer (Jul 17)