Date: Tue, 4 Sep 2001 12:28:43 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Matt Dillon <dillon@earth.backplane.com> Cc: Mark Peek <mark@whistle.com>, "Andrey A. Chernov" <ache@nagual.pp.ru>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/lib/libc/stdlib strtol.3 strtol.c strtoll.c strtoq.c strtoul.3 strtoul.c strtoull.c strtouq.c Message-ID: <20010904122843.A56085@xor.obsecurity.org> In-Reply-To: <200109041705.f84H5W692572@earth.backplane.com>; from dillon@earth.backplane.com on Tue, Sep 04, 2001 at 10:05:32AM -0700 References: <200109041639.f84GdBm87501@freefall.freebsd.org> <20010904204454.A32114@nagual.pp.ru> <p05100307b7bab7186d08@[10.1.10.118]> <200109041705.f84H5W692572@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 04, 2001 at 10:05:32AM -0700, Matt Dillon wrote: >=20 > : > :At 8:44 PM +0400 9/4/01, Andrey A. Chernov wrote: > :>On Tue, Sep 04, 2001 at 09:39:11 -0700, Andrey A. Chernov wrote: > :>> ache 2001/09/04 09:39:11 PDT > :>> > :>> Modified files: > :>> lib/libc/stdlib strtol.3 strtol.c strtoll.c strtoq.c > :>> strtoul.3 strtoul.c strtoull.c strtouq.c > :> > :>Forget "Reviewed by: audit silence" > : > :Wow, less than 24 hours is considered "audit silence"? I'd like to=20 > :think an acceptable wait period is a bit longer than that! > : > :Mark >=20 > Is there any reason we are keeping the rcsid in some of the source > files? Can we just scrap these? (Also strhash.c uses the wrong > declaration for rcsid. But I'd just assume wipe them out completely). Having rcsid[] visible in source files is very useful from my point of view in determining whether a binary is vulnerable to a security vulnerability. If we have rcsids in everything (especially libraries), then it would be trivial to write scanning software which identifies all vulnerable binaries on the system, dynamically and statically linked. If the vulnerable source file has no rcsid, the best you can do is play ugly games and try and hunt for another hopefully-unique string embedded in the static binary. Perhaps it would be better to stick these in an ELF section which could be stripped out by people who don't want them. Kris --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7lStqWry0BWjoQKURAlRcAJ9liQv/USqVUDdQe/lw0r8UkPq1KACghAw/ Q8wwuRfgU5YXpQ5KiM4vyMA= =k27U -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010904122843.A56085>