[ Good god... did I really send a full quote in that mail? Sorry. ]
Hi!
* Alexander Reichle-Schmehl [111208 10:13]:
> > If we can get a reliable backporter for hardening-wrapper as well,
> > most of my concerns here covered. On the lintian.d.o side, it means we
> > may have to nag DSA for a
On Fri, Dec 09, 2011 at 09:27:18AM +0100, Alexander Reichle-Schmehl wrote:
> Am 08.12.2011 23:40, schrieb Kees Cook:
> >> Backporting concerns and output stability:
> >> ==
> >>
> >> Both the FTP-masters and Lintian.d.o needs everything in stable (or
> >> sta
HI!
Am 08.12.2011 23:40, schrieb Kees Cook:
>> Backporting concerns and output stability:
>> ==
>>
>> Both the FTP-masters and Lintian.d.o needs everything in stable (or
>> stable-backports).
>> [..]
> Given that dpkg-buildflags won't be backported, perhaps
On Thu, Dec 08, 2011 at 11:50:19AM +0100, Jakub Wilk wrote:
> Currently ldd is used to discover which libc the binaries is linked
> to, in order to read symbol from the libc library. But this won't
> work, even when using readelf, for foreign architecture binaries,
> for the simple reason that such
On Thu, Dec 08, 2011 at 12:06:37PM +0100, Niels Thykier wrote:
> I was informed (and have verified) that hardening-check uses "ldd(1)".
> Unfortunately, ldd(1) appears to be (semi-)executing the binaries it
> is run on[1]. This smells like a CVE in the making, so would it be
> possible for you to
On Sat, Dec 03, 2011 at 11:20:05AM +0100, Niels Thykier wrote:
> On 2011-12-02 01:33, Kees Cook wrote:
> > 1) With these build tests added, all the other internal lintian tests
> >need to either:
> > a) add the new warnings to their "tags" file, or
> > b) have all their builds a
* Niels Thykier , 2011-12-08, 12:06:
I was informed (and have verified) that hardening-check uses "ldd(1)".
Unfortunately, ldd(1) appears to be (semi-)executing the binaries it is
run on[1]. This smells like a CVE in the making,
AFAIUI, ldd in our libc is not vulnerable to arbitrary code exec
Package: lintian
Version: 2.5.4
Followup-For: Bug #650536
Hi,
I was informed (and have verified) that hardening-check uses "ldd(1)".
Unfortunately, ldd(1) appears to be (semi-)executing the binaries it
is run on[1]. This smells like a CVE in the making, so would it be
possible for you to update
Hi!
Am 08.12.2011 10:13, schrieb Alexander Reichle-Schmehl:
> As you fellow backporter I took a quick glance at the hardening-wrapper
> package, and didn't spotted any problems so far (as in: I could create
> a backport, install it, and can still compile stuff). However, as I'm
> not very famil
Hi!
As you fellow backporter I took a quick glance at the hardening-wrapper
package, and didn't spotted any problems so far (as in: I could create
a backport, install it, and can still compile stuff). However, as I'm
not very familiar with it, I'll ping the maintainers for their opinion.
Also n
On 2011-12-02 01:33, Kees Cook wrote:
> Hi!
>
Hey,
Kees, Jakub and I had a chat about this yesterday in #d-devel. Also, I
have CC'ed Alexander due to your/his role as our backporter and as ftp
team member (Alexander, you may want to fast-foward to "Backporting
concerns" below).
> Attached is a
11 matches
Mail list logo
