On Thu, Dec 08, 2011 at 12:06:37PM +0100, Niels Thykier wrote: > I was informed (and have verified) that hardening-check uses "ldd(1)". > Unfortunately, ldd(1) appears to be (semi-)executing the binaries it > is run on[1]. This smells like a CVE in the making, so would it be > possible for you to update hardening-check to use readelf instead[2]?
Yeah, I can do this manually instead of invoking ldd(1). From the perspective of doing build checks, it seems like a non-issue, but better to just fix it anyway. I'll update hardening-check. -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
