Saul,
You're mistaken. The C++ portion of the code base at my current employer
is statically linked. We've been compiling the code that way for close
to a decade. The code itself uses STL, streams, makes heavy use of
templates, etc. We build on Debian and release on RedHat/CentOS and
Solaris
On Linux there are binary portability problems linking to libstdc++
either statically or dynamically. It's off-topic to this thread, but:
- dlopen() on a shared library that links to libstdc++ can fail if the
host app or system uses an older version of libc (because of PT_TLS
references) and
A friend forwarded me this info regarding a vulnerability. I am unable to
test this at the moment, but it does look like it is possible. Thought I
would get this out to the community before others start using this to cause
havoc.
http://www.vupen.com/english/advisories/2009/2296
Thanks, anyone knows if a workaround is available?
BTW: aren't security researchers supposed to contact the developers before
releasing 0-day exploits?This is the 2nd 0-day exploy from aluigi in a few
weeks -.-
On Tue, Aug 18, 2009 at 6:44 PM, Morgan Humes mrh9...@lanaddict.com wrote:
A
Sorry, but this must be corrected ;)
-Valve should start coding c++ with steams ;)
+Valve should start coding c++ with streams ;)
Best regards,
Stefan Popp
Stefan Popp schrieb:
Well,
Valve should start coding c++ with steams ;)
Who works with printfs today?
I hope Valve will fix the whole
You'd wish you never bought any Valve games the day this happens.
Stefan Popp wrote:
Sorry, but this must be corrected ;)
-Valve should start coding c++ with steams ;)
+Valve should start coding c++ with streams ;)
Best regards,
Stefan Popp
Stefan Popp schrieb:
Well,
Valve should
The problem is not the programming language, the problem is that Valve trust
their game clients too much.
Well,
Valve should start coding c++ with steams ;)
Who works with printfs today?
I hope Valve will fix the whole source to prevent overflows.
C++ is you friend, not old C stuff...
The wish is currently present ;)
Due a lot of stuff valve didnt managed the right way ;)
1. bad code and many ways to crash servers from client side
2. changing engine stuff without telling plugin developer about changes
or any new sdk's
3. no statements about this and a lot of other points ;)
Thats not right ;)
The programming language is the problem in this case. Why should i write
my code with functions that shouldnt be used with C++?
C++ works with the stdlib, which means streams. Not C stuff. So its
finally up to Valve to write programs which follows C++ standards not C.
You
Yes, typically the company is contacted before exploits are released...
In Valve's case though, they are so unwilling to fix anything the
exploits end up being released without a fix.
___
To unsubscribe, edit your list preferences, or view the list
[mailto:hlds_linux-boun...@list.valvesoftware.com] On Behalf Of Stefan Popp
Sent: dinsdag 18 augustus 2009 20:51
To: Half-Life dedicated Linux server mailing list
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
The wish is currently present ;)
Due a lot of stuff valve
This 'C stuff' is actually part of the C++ standard library. Also using
streams here would be like trying to eat spaghetti with a single stick
... some will do it, others stick to the fork.
Stefan Popp wrote:
Thats not right ;)
The programming language is the problem in this case. Why
It's not forbidden to mix diffent programming languages, I am sure they also
use Assembler codes. The problem can also occur in C++, because they trust
the client that it sends a valid string, but it can send anything.
Thats not right ;)
The programming language is the problem in this
At 03:36 PM 8/18/2009, Ronny Schedel wrote:
It's not forbidden to mix diffent programming languages, I am sure they also
use Assembler codes. The problem can also occur in C++, because they trust
the client that it sends a valid string, but it can send anything.
They only use assembly code to
At 03:36 PM 8/18/2009, Ronny Schedel wrote:
It's not forbidden to mix diffent programming languages, I am sure they also
use Assembler codes. The problem can also occur in C++, because they trust
the client that it sends a valid string, but it can send anything.
They only use assembly code to
If you knew anything about C++ you'd understand how unportable STL is
across various Linux distributions, and how impossible it is to
statically link it into the code.
Thanks,
- Saul.
On 18 Aug 2009, at 21:03, Stefan Popp m...@stefanpopp.de wrote:
Thats not right ;)
The programming
Ronny Schedel wrote:
The problem is not the programming language, the problem is that Valve trust
their game clients too much.
Glad you haven't seen any code from Korean MMORPGs ;)
marcel
___
To unsubscribe, edit your list preferences, or view the
Didn't they use ASM (at least in the Source Engine leak, but that's
very outdated, not to mentioned possibly illegal) for the Sound Engine
and parts of mathlib?
Thanks,
- Saul.
On 18 Aug 2009, at 21:53, Gary Stanley g...@velocity-servers.net
wrote:
At 03:36 PM 8/18/2009, Ronny Schedel
Sry, are you serious? I mean, are you serious?
STL = Standard template library
You are serious we are talking 100% that?
If you really mean its not portable, you should buy a book about C++.
For myself i prefer Bjarne Stroustrup's C++
STL is a part of C++. Every C++ compiler should understand
While trivial for someone who knows what they are doing to edit the
code, rebuild and most likely bypass this, the following iptables rule
will drop the exploit as provided for me (tested on a hl2 deathmatch
and cstrike:source server)
# log it
iptables -A INPUT -p udp --dport 27015 -m string
I never said there was an issue compiling it. You will find that other
systems use different library versions for STL, surprisingly, and
cause linkage issues. I know this as I've tried distributing C++
Windows / Linux apps which use STL and it's a headache. I'm only
talking from first hand
Using STL in open-source projects is fine as the system can compile
binaries which link into their libraries. With closed source however,
you are distributing binaries which link with libraries on YOUR
machine, which may not be the same on others.
Thanks,
- Saul.
On 18 Aug 2009, at 22:23,
Well,
sometimes i got some problems with librarys, but with some tweaks my
stuff works to 95% on every linux machine. I dont know how you code and
compile static stuff,
but my/our programs works fine for over 35k customers ;)
Best regards,
Stefan Popp
Saul Rennison schrieb:
Using STL in
- Original Message -
From: Stefan Popp m...@stefanpopp.de
To: Half-Life dedicated Linux server mailing list
hlds_linux@list.valvesoftware.com
Sent: Tuesday, August 18, 2009 10:37 PM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
Wheres
: Stefan Popp m...@stefanpopp.de
To: Half-Life dedicated Linux server mailing list
hlds_linux@list.valvesoftware.com
Sent: Tuesday, August 18, 2009 10:37 PM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
Wheres the point?
Its their product
If you have problems distributing a C++ application that is build
against standardized parts of C++, then you must be doing something
wrong, my friend.
If you have so many linkage problems, try linking statically.
If you already have problems on a source level, the preprocessor
is your friend.
:37 PM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
Wheres the point?
Its their product, and they have to support the product. If i code any
application and i wait 4 weeks (or more :P) until i fix anything for my
customers, i can go directly
hlds_linux@list.valvesoftware.com
Sent: Tuesday, August 18, 2009 10:37 PM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
Wheres the point?
Its their product, and they have to support the product. If i code any
application and i wait 4
: Wednesday, August 19, 2009 12:59 AM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
Thats true ;)
Best example: SAP =D
Oliver Salzburg schrieb:
Well, some people just need 10 years to get their shit right...
Evaldas Žilinskas wrote:
Oh… Show me
...@stefanpopp.de
To: Half-Life dedicated Linux server mailing list
hlds_linux@list.valvesoftware.com
Sent: Wednesday, August 19, 2009 12:59 AM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
Thats true ;)
Best example: SAP =D
Oliver
- Original Message -
From: Stefan Popp m...@stefanpopp.de
To: Half-Life dedicated Linux server mailing list
hlds_linux@list.valvesoftware.com
Sent: Wednesday, August 19, 2009 1:52 AM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
I think our
m...@stefanpopp.de
To: Half-Life dedicated Linux server mailing list
hlds_linux@list.valvesoftware.com
Sent: Wednesday, August 19, 2009 1:52 AM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
I think our discusion will never end with our
...@stefanpopp.de
To: Half-Life dedicated Linux server mailing list
hlds_linux@list.valvesoftware.com
Sent: Wednesday, August 19, 2009 1:52 AM
Subject: Re: [hlds_linux] Valve Source Engine Console Message Format String
Vulnerability
I think our discusion will never end with our argumentations
33 matches
Mail list logo
