On Fri, 20 Sep 2013, Kees Cook wrote: > This is absolutely a bug in glibc. While the spec can say "undefined", it > is, in fact, not undefined. It worked in a very specific way for over a > decade, so that's pretty well defined. ;) The fortify function has no need > to change it.
FWIW +1 > > To mitigate this issue, besides reporting upstream, for now I had to disable > > this fortification with > > DEB_BUILD_HARDENING_FORTIFY := 0 > > preceding inclusion of /usr/share/hardening-includes/hardening.make > Instead, if eglibc continues to remain unfixed, you can replace the > "buggy" sprintf calls with the suggestions listed in my original mass > bug-filing email above. Thanks Kees! upstream resolved it already... I will eventually add unittests for this and rebuild freshier upstream. -- Yaroslav O. Halchenko, Ph.D. http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org Senior Research Associate, Psychological and Brain Sciences Dept. Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130921231256.ge27...@onerussian.com