This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Policy for posting security bug reports?


On Sat, Jun 23, 2012 at 06:31:17PM -0400, Mike Frysinger wrote:
> On Saturday 23 June 2012 09:55:51 Petr Baudis wrote:
> > policy there? E.g. for gcc, binutils (probably not too many security
> > bugs in these two), coreutils, ...?
> 
> gcc & binutils pretty explicitly don't have security paths.  bugs are bugs to 
> them.  probably because it's fairly easy to crash them, and they don't get run 
> in the same situations as the C library.

gcc/binutils bugs could be serious security issues if you're using
distcc and you don't entirely trust your clients. Even if you're
running it as an isolated user with minimal local permissions, in
order to avoid an exploit in one run from one remote user being able
to inject malicious code into the output of another user's run, you'd
need to isolate each run into a separate privilege space. I'm not sure
if distcc has support for doing this but it seems non-trivial...

Rich


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]