From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 3591 invoked from network); 23 Sep 2004 01:41:10 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 23 Sep 2004 01:41:10 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CAIbe-0003NN-7T for arch-gentoo-dev@lists.gentoo.org; Thu, 23 Sep 2004 01:41:10 +0000 Received: (qmail 14304 invoked by uid 89); 23 Sep 2004 01:41:09 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 16809 invoked from network); 23 Sep 2004 01:41:09 +0000 Date: Thu, 23 Sep 2004 03:41:07 +0200 From: Christian Birchinger To: gentoo-dev@lists.gentoo.org Message-ID: <20040923014107.GA24710@netswarm.net> Mail-Followup-To: gentoo-dev@lists.gentoo.org References: <4151A04F.5090304@comcast.net> <20040922170424.26f1253b@snowdrop.home> <4151EB12.9010504@comcast.net> <1095898314.5905.2889.camel@simple> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1095898314.5905.2889.camel@simple> X-Accepted-File-Formats: ASCII, .ps, .rtf, .pdf - *NO* Micosoft Office files please X-Info: No HTML mails please. text/plain is the official email format Organization: Gentoo Linux User-Agent: Mutt/1.5.6i Subject: Re: [gentoo-dev] Stack smash protected daemons X-Archives-Salt: 969f2d6c-ca18-436e-a42b-05ad3f815974 X-Archives-Hash: b5a71ee1daf429289ed6340c9b5b7cef On Wed, Sep 22, 2004 at 08:11:54PM -0400, Ned Ludd wrote: > > Yes. Our security team has currently done 141 GLSA's this year alone. > 42 of which match the string overflow. > > Only 1 of those does not play along with -fstack-protector that I'm > aware of and that's being worked on currently. > Maybe it would be a good idea to add additional info in the GLSA about the vulunerability if you use "-fstack-protector". (Sorry if that's already the case but i can't remember seeing it) Ofcourse this can be dangerous because lazy people stop updating the software because they feel safe which is totaly wrong. Maybe some very carefull neutral hint would help. I would use such information to decide if i should go and fix something at 3am or go to bed and fix it 6h later after i wake up. The main goal would be some advertisement for -fstack-protector. Just an idea. I'm not even sure if i like it myself :) Christian -- gentoo-dev@gentoo.org mailing list