Re: Problems in automatic crash analysis frameworks

[Tavis Ormandy <taviso () google com>]

On Tue, May 5, 2015 at 12:37 PM, Florian Weimer <fweimer () redhat com> wrote:
> On 05/05/2015 09:01 PM, Tavis Ormandy wrote:
> > On Tue, May 5, 2015 at 5:17 AM, Florian Weimer <fweimer () redhat com> wrote:
> > > On 04/23/2015 09:10 PM, Florian Weimer wrote:
> > > > On 04/17/2015 09:16 PM, Florian Weimer wrote:
> > > > > A quick update on the abrt situation.
> > > >
> > > > Another update.  We now have a public tracking bug listing the issues:
> > > >
> > > >   <https://bugzilla.redhat.com/show_bug.cgi?id=1214172>
> > >
> > >
> > > There is a public build (against EPEL7) of the consolidated fixes,
> > > available as a Copr repository:
> > >
> > >   <http://copr.fedoraproject.org/coprs/jfilak/abrt-hardened/>
> > >
> > > This also includes the consolidated fixes.
> > >
> > > At this stage, we'd appreciate additional comments/reviews.
> >
> > Thanks Florian, this looks great. I'm just looking at the new ccpp, Is
> > it intentional that os-release and so on are still copied from the
> > process root?
>
> Thanks for taking a look.  Have you downloaded the Copr builds?
>
> In 0092-ccpp-do-not-read-data-from-root-directories.patch for abrt, the
> root directory argument for dd_create_basic_files is changed to NULL,
> which means that the copying inside dd_create_basic_files will not
> happen (although the code is still around).  As far as I can tell, this
> patch is also applied in the build.  Is there some other copying
> operation I'm missing?

No, you're correct, I was just reading the code and didn't see rootdir
was always NULL, oops.

I'll take a look at the other changes.

Tavis.