Re: Qualys Security Advisory - The Stack Clash

[nospam () curso re]

Qualys Security Advisory <qsa () qualys com>
writes:

> Hi Solar, all,
>
> On Tue, Jun 20, 2017 at 03:22:04PM +0200, Solar Designer wrote:
> > Qualys, I suggest that, like you did with the Sudo exploit, you publish
> > your Stack Clash exploits in here as soon as third-party exploits of
> > comparable functionality appear, or next Tuesday, whichever is earlier.
>
> We have discussed this internally, and we will first publish the Stack
> Clash exploits and proofs-of-concepts that we sent to the distros@ and
> linux-distros@ lists, plus our Linux ld.so exploit for amd64, and our
> Solaris rsh exploit.
>
> We will do so next Tuesday, but we will publish our Linux exploits and
> proofs-of-concept if and only if Fedora updates are ready by then, our
> NetBSD proof-of-concept if and only if NetBSD patches are ready by then,
> and our FreeBSD proofs-of-concept if and only if FreeBSD patches are
> ready by then.
>
> If someone happens to know of another major distribution that has not
> published patches and updates yet, please let us all know by replying
> here to oss-security. Thank you very much!
>
> With best regards,

(posting from gmane... I hope it's OK)

Hello,

not sure it counts as a major distribution (probably not), but NixOS
(https://nixos.org) is gaining traction and, as far as I understand,
they are working on patches but they don't seem to be ready yet.

Many thanks to everybody for your work,

-- S.