Re: Qualys Security Advisory - Roaming through the OpenSSH client: CVE-2016-0777 and CVE-2016-0778

[Rich Felker <dalias () libc org>]

On Fri, Jan 15, 2016 at 01:56:33PM +0100, Yann Droneaud wrote:
> Hi,
>
> Le vendredi 15 janvier 2016 à 12:06 +0100, Florian Weimer a écrit :
> > On 01/14/2016 06:13 PM, Qualys Security Advisory wrote:
> > > Internal stdio buffering is the most severe of the three problems
> > > discussed in this section, although GNU/Linux is not affected
> > > because the glibc mmap()s and munmap()s (and therefore cleanses)
> > > stdio buffers.
> >
> > This will change in glibc 2.23, stdio will use regular malloc and
> > free for its buffers.  I did not expect this change to have security
> > implications.  Considering that the actual bug lies elsewhere, and
> > stdio usage is based on copying out of the buffer (so leaks can still
> > happen elsewhere), I do not wish to revert this change.
>
> Would setvbuf(stream, NULL, _IONBF, 0); be used to disable buffer
> before reading/writting sensible data to a stream ?

Yes. Or preferably you could provide a custom buffer pointer for the
stdio FILE to use and clear it safely yourself after calling fclose.

> What about a buffering flag (_IOSBF) that would enable "secure" 
> handling of the buffer, that is, on fclose() and fflush(), write
> back and cleanse buffer on output stream, cleanse buffer on input
> stream ?

This sounds undesirable when there is already a portable fix (above).
There are also some issues with compatibility for such a feature
between versions and what symbol versioning might be needed.

Rich