This is the mail archive of the
mailing list for the glibc project.
Re: Fix nan functions handling of payload strings (bug 16961, bug 16962)
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Joseph Myers <joseph at codesourcery dot com>, Florian Weimer <fweimer at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Fri, 4 Dec 2015 14:36:27 -0500
- Subject: Re: Fix nan functions handling of payload strings (bug 16961, bug 16962)
- Authentication-results: sourceware.org; auth=none
- References: <alpine dot DEB dot 2 dot 10 dot 1511270023120 dot 32583 at digraph dot polyomino dot org dot uk> <565C2142 dot 9080008 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1512020049400 dot 12604 at digraph dot polyomino dot org dot uk>
On 12/01/2015 07:50 PM, Joseph Myers wrote:
> On Mon, 30 Nov 2015, Florian Weimer wrote:
>> On 11/27/2015 01:26 AM, Joseph Myers wrote:
>>> Carlos, the NEWS entry is a consequence of what you said in
>>> <https://sourceware.org/ml/libc-alpha/2015-10/msg00776.html> about
>>> security+ bugs (such as this one, involving an unbounded stack
>>> allocation from what could theoretically be untrusted input) getting
>>> such entries. Does it seem right to you? Once the NEWS entry is
>>> resolved, I intend to commit this patch.
>>> +* The nan, nanf and nanl functions no longer have unbounded stack usage
>>> + depending on the length of the string passed as an argument to the
>>> + functions. Reported by Joseph Myers.
>> I think reporters of security bugs want their bugs marked as security
>> bugs. This could be achieve by putting them into a separate section, or
>> adding a âSECURITY: â prefix or something like that.
> Any other comments on the NEWS entry, supposing such a prefix to be added?
The NEWS entry looks good to me.
However, I agree with Florian that we need to call out the security related
changes in a distinct section e.g. "Security related changes:", though I'm
open to suggestions for how to name it or if it comes first or last in the
list of changes.
Additionally I think it would be nice to put security+ bugs in their own
bug list, which involves enhancing or running a different script with query
to get the list of those bugs.
diff --git a/NEWS b/NEWS
index cb61a3a..295d747 100644
@@ -60,6 +60,17 @@ Version 2.23
C Library is GCC 4.7. Older GCC versions, and non-GNU compilers, can
still be used to compile programs using the GNU C Library.
+Security related changes:
+* The nan, nanf and nanl functions no longer have unbounded stack usage
+ depending on the length of the string passed as an argument to the
+ functions. Reported by Joseph Myers.
+* The following security bugs are resolved with this release:
+ [Some other script which generates the list of security+ bugs
+ resolved in this release.]
* The following bugs are resolved with this release:
[The release manager will add the list generated by