This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow

On 17 Feb 2016 19:44, Carlos O'Donell wrote:
> On 02/17/2016 05:20 PM, Mike Frysinger wrote:
> > On 17 Feb 2016 16:43, Carlos O'Donell wrote:
> >> It's a very good idea. I think we should stack protect libresolv, libdl,
> >> nscd, etc, and we do already. Extending that is only going to be a good
> >> thing.
> > 
> > on a related note, seems like nscd should take advantage of seccomp &
> > namespaces when available.  that would also significantly mitigate on
> > systems.  any reason to not ?
> I see no reason why not. We would have to test for the availability of
> that functionality in as old a kernel as we support running on, but
> as newer kernels are booted the features should just turn on automatically.

we'd always need to do runtime testing for features since people can
disable both in their configs.  doing the actual testing is pretty
easy as they will return an error (EINVAL) if it's old/disabled.

i've created some bugs and linked to them in the wiki's TODO at least.

> For now we've just been using SELinux in nscd to restrict the damage the
> daemon could do, but it could potentially be restricted even further.

unfortunately SELinux is not as wide spread/adopted as one might hope.

Attachment: signature.asc
Description: Digital signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]