From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PBHzj-0006Oi-C6 for garchives@archives.gentoo.org; Thu, 28 Oct 2010 02:13:35 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E906E1C082 for ; Thu, 28 Oct 2010 02:13:34 +0000 (UTC) Received: from mail-ey0-f181.google.com (mail-ey0-f181.google.com [209.85.215.181]) by pigeon.gentoo.org (Postfix) with ESMTP id F36F1E07D0 for ; Thu, 28 Oct 2010 01:24:05 +0000 (UTC) Received: by eyg5 with SMTP id 5so946902eyg.40 for ; Wed, 27 Oct 2010 18:24:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=gVYPoZbYGlwPLep+quUzFXi5RKKxjVg7Jx/N1DAndBU=; b=B3YjFZp5xKSyOsAGy6bz1YIudZEwO6XbhqsIU0abIbO9H5FVS2zzql8Q7SFhJAo5Vu cSYa7Z1Mv31vYv+Tn9i6KU1jcCprXWHBfT5/o/+6mjQ0ByKe39ftaYMcMa/Rvvuofwsj gf9rj5jlQzRzoixk0HqVhch3T3djbzcxtpOJ0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=e+mvHQqysVSxOgMKu2OcmVIkDmdZS8Qg92e0BZYhj5S78wfOl41cyPIkmgfmaOQ5a1 182bB2bSQVMYcrjzgihHN6HPLNU/oSxaIGFKuqAqPpYH4cX2PAHm8aJP9wzXq/1Js84S 0lvhXs9DtA3OZwQRwur1udv8abmu6qsO1Y04o= Received: by 10.213.29.204 with SMTP id r12mr1569516ebc.10.1288229044487; Wed, 27 Oct 2010 18:24:04 -0700 (PDT) Received: from [195.222.177.67] (FTTBs-195.222.177.67.ranetka.ru [195.222.177.67]) by mx.google.com with ESMTPS id x54sm344389eeh.17.2010.10.27.18.24.02 (version=SSLv3 cipher=RC4-MD5); Wed, 27 Oct 2010 18:24:03 -0700 (PDT) Message-ID: <4CC8D077.7040605@gmail.com> Date: Thu, 28 Oct 2010 09:23:03 +0800 From: Pavel Labushev User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.11) Gecko/20101023 Lightning/1.0b3pre Thunderbird/3.1.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] #342619 RESOLVED WONTFIX References: <20101026191542.GA14996@localhost> <201010272033.56366.volkerarmin@googlemail.com> <20101028002353.GA10276@localhost> In-Reply-To: <20101028002353.GA10276@localhost> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: b914a234-6290-47e4-b188-da5f346e5b06 X-Archives-Hash: 46595735d82bb89e00b5dac05fcf698d > I didn't test that patch; even if it's incorrect, bugreport is not about > a patch. It's about a security issue. Well, the bug report is about the patch. There's another bug about the issues with LD_AUDIT: https://bugs.gentoo.org/show_bug.cgi?id=341755 > This proof-of-concept exploit still works in gentoo (amd64 stable at least, > even hardened!), because some dangerous variables are not filtered out. It still works because glibc-2.11.2-r2 with the fix is still keyworded (yeah, epic fail goes on).