On Linux there are binary portability problems linking to libstdc++
either statically or dynamically. It's off-topic to this thread, but:
- dlopen() on a shared library that links to libstdc++ can fail if the
host app or system uses an older version of libc (because of PT_TLS
references) and
Saul,
You're mistaken. The C++ portion of the code base at my current employer
is statically linked. We've been compiling the code that way for close
to a decade. The code itself uses STL, streams, makes heavy use of
templates, etc. We build on Debian and release on RedHat/CentOS and
Solaris
;
>> Anyway, technical mailing list is not a place to flame and learn programmers
>> how to code. :-)
>>
>> Evaldas,
>> GameConnect, Lithuania
>> www.gameconnect.lt
>>
>>
>> ----- Original Message -
>> From: "Stefan Popp"
&
as,
> GameConnect, Lithuania
> www.gameconnect.lt
>
>
> - Original Message -
> From: "Stefan Popp"
> To: "Half-Life dedicated Linux server mailing list"
>
> Sent: Wednesday, August 19, 2009 1:52 AM
> Subject: Re: [hlds_linux] Valve Source Engine
- Original Message -
From: "Stefan Popp"
To: "Half-Life dedicated Linux server mailing list"
Sent: Wednesday, August 19, 2009 1:52 AM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
>I think our discusion will never end
.gameconnect.lt
>
> - Original Message -
> From: "Stefan Popp"
> To: "Half-Life dedicated Linux server mailing list"
>
> Sent: Wednesday, August 19, 2009 12:59 AM
> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
> Vulnerabil
12:59 AM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
> Thats true ;)
>
> Best example: SAP =D
>
> Oliver Salzburg schrieb:
>> Well, some people just need 10 years to get their shit right...
>>
>> Evaldas Žilinskas wrote:
t;>
>>
>> Evaldas,
>> GameConnect, Lithuania
>> www.gameconnect.lt
>>
>>
>> - Original Message -----
>> From: "Stefan Popp"
>> To: "Half-Life dedicated Linux server mailing list"
>>
>> Sent: Tuesday, Aug
Half-Life dedicated Linux server mailing list"
>
> Sent: Tuesday, August 18, 2009 10:37 PM
> Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
> Vulnerability
>
>
>
>> Wheres the point?
>>
>> Its their product, and they hav
If you have problems distributing a C++ application that is build
against standardized parts of C++, then you must be doing something
wrong, my friend.
If you have so many linkage problems, try linking statically.
If you already have problems on a source level, the preprocessor
is your friend.
And
er me! Believe me – NOT so easy!
>
>
> Evaldas,
> GameConnect, Lithuania
> www.gameconnect.lt
>
>
> - Original Message -
> From: "Stefan Popp"
> To: "Half-Life dedicated Linux server mailing list"
>
> Sent: Tuesday, August 18, 2009 10:37 PM
- Original Message -
From: "Stefan Popp"
To: "Half-Life dedicated Linux server mailing list"
Sent: Tuesday, August 18, 2009 10:37 PM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
> Wheres the point?
>
> Its th
Well,
sometimes i got some problems with librarys, but with some tweaks my
stuff works to 95% on every linux machine. I dont know how you code and
compile static stuff,
but my/our programs works fine for over 35k customers ;)
Best regards,
Stefan Popp
Saul Rennison schrieb:
> Using STL in open
Using STL in open-source projects is fine as the system can compile
binaries which link into their libraries. With closed source however,
you are distributing binaries which link with libraries on YOUR
machine, which may not be the same on others.
Thanks,
- Saul.
On 18 Aug 2009, at 22:23, S
I never said there was an issue compiling it. You will find that other
systems use different library versions for STL, surprisingly, and
cause linkage issues. I know this as I've tried distributing C++
Windows / Linux apps which use STL and it's a headache. I'm only
talking from first hand
While trivial for someone who knows what they are doing to edit the
code, rebuild and most likely bypass this, the following iptables rule
will drop the exploit as provided for me (tested on a hl2 deathmatch
and cstrike:source server)
# log it
iptables -A INPUT -p udp --dport 27015 -m string --he
Sry, are you serious? I mean, are you serious?
STL = Standard template library
You are serious we are talking 100% that?
If you really mean its not portable, you should buy a book about C++.
For myself i prefer "Bjarne Stroustrup's C++"
STL is a part of C++. Every C++ compiler should understand i
Didn't they use ASM (at least in the Source Engine leak, but that's
very outdated, not to mentioned possibly illegal) for the Sound Engine
and parts of mathlib?
Thanks,
- Saul.
On 18 Aug 2009, at 21:53, Gary Stanley
wrote:
> At 03:36 PM 8/18/2009, Ronny Schedel wrote:
>
>> It's not forbid
Ronny Schedel wrote:
> The problem is not the programming language, the problem is that Valve trust
> their game clients too much.
Glad you haven't seen any code from Korean MMORPGs ;)
marcel
___
To unsubscribe, edit your list preferences, or view th
If you knew anything about C++ you'd understand how unportable STL is
across various Linux distributions, and how impossible it is to
statically link it into the code.
Thanks,
- Saul.
On 18 Aug 2009, at 21:03, Stefan Popp wrote:
> Thats not right ;)
>
> The programming language is the probl
At 03:36 PM 8/18/2009, Ronny Schedel wrote:
>It's not forbidden to mix diffent programming languages, I am sure they also
>use Assembler codes. The problem can also occur in C++, because they trust
>the client that it sends a valid string, but it can send anything.
They only use assembly code to
At 03:36 PM 8/18/2009, Ronny Schedel wrote:
>It's not forbidden to mix diffent programming languages, I am sure they also
>use Assembler codes. The problem can also occur in C++, because they trust
>the client that it sends a valid string, but it can send anything.
They only use assembly code to
nt K.
> -Original Message-
> From: hlds_linux-boun...@list.valvesoftware.com
> [mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan Popp
> Sent: dinsdag 18 augustus 2009 20:51
> To: Half-Life dedicated Linux server mailing list
> Subject: Re: [hl
It's not forbidden to mix diffent programming languages, I am sure they also
use Assembler codes. The problem can also occur in C++, because they trust
the client that it sends a valid string, but it can send anything.
> Thats not right ;)
>
> The programming language is the problem in this ca
This 'C stuff' is actually part of the C++ standard library. Also using
streams here would be like trying to eat spaghetti with a single stick
... some will do it, others stick to the fork.
Stefan Popp wrote:
> Thats not right ;)
>
> The programming language is the problem in this case. Why sho
[mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan Popp
Sent: dinsdag 18 augustus 2009 20:51
To: Half-Life dedicated Linux server mailing list
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
The wish is currently present ;)
Due a lot of stuff valve
Yes, typically the company is contacted before exploits are released...
In Valve's case though, they are so unwilling to fix anything the
exploits end up being released without a fix.
___
To unsubscribe, edit your list preferences, or view the list archi
Thats not right ;)
The programming language is the problem in this case. Why should i write
my code with functions that shouldnt be used with C++?
C++ works with the stdlib, which means streams. Not C stuff. So its
finally up to Valve to write programs which follows C++ standards not C.
You cant
The wish is currently present ;)
Due a lot of stuff valve didnt managed the right way ;)
1. bad code and many ways to crash servers from client side
2. changing engine stuff without telling plugin developer about changes
or any new sdk's
3. no statements about this and a lot of other points ;)
t
The problem is not the programming language, the problem is that Valve trust
their game clients too much.
> Well,
>
> Valve should start coding c++ with steams ;)
> Who works with printfs today?
>
> I hope Valve will fix the whole source to prevent overflows.
> C++ is you friend, not old C stuf
You'd wish you never bought any Valve games the day this happens.
Stefan Popp wrote:
> Sorry, but this must be corrected ;)
>
> -"Valve should start coding c++ with steams ;)"
> +"Valve should start coding c++ with streams ;)"
>
> Best regards,
> Stefan Popp
>
> Stefan Popp schrieb:
>> Well,
>>
Sorry, but this must be corrected ;)
-"Valve should start coding c++ with steams ;)"
+"Valve should start coding c++ with streams ;)"
Best regards,
Stefan Popp
Stefan Popp schrieb:
> Well,
>
> Valve should start coding c++ with steams ;)
> Who works with printfs today?
>
> I hope Valve will fix
Backtrace for this crash looks like:
#0 0xb7e9c463 in strlen () from /lib/tls/i686/cmov/libc.so.6
#1 0xb7e70164 in vfprintf () from /lib/tls/i686/cmov/libc.so.6
#2 0xb7e8df81 in vsnprintf () from /lib/tls/i686/cmov/libc.so.6
#3 0xb7de2690 in V_vsnprintf () from bin/vstdlib_i486.so
#4 0xb72a389
Yep, I just found that page a bit earlier today. Despite the fact that
it's a serious crash, I have no hope that valve will ever fix it (Just
like the 13 other exploits they haven't done shit about)
___
To unsubscribe, edit your list preferences, or vie
Well,
Valve should start coding c++ with steams ;)
Who works with printfs today?
I hope Valve will fix the whole source to prevent overflows.
C++ is you friend, not old C stuff...
Best regards,
Stefan Popp
Claudio Beretta schrieb:
> Thanks, anyone knows if a workaround is available?
>
> BTW: a
Thanks, anyone knows if a workaround is available?
BTW: aren't "security researchers" supposed to contact the developers before
releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few
weeks -.-
On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes wrote:
> A friend forwarded me this
A friend forwarded me this info regarding a vulnerability. I am unable to
test this at the moment, but it does look like it is possible. Thought I
would get this out to the community before others start using this to cause
havoc.
http://www.vupen.com/english/advisories/2009/2296
http://aluig
37 matches
Mail list logo