LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Civilizing SELinux

Civilizing SELinux

Posted Nov 26, 2004 5:22 UTC (Fri) by spender (subscriber, #23067)
In reply to: Civilizing SELinux by bluefoxicy
Parent article: Civilizing SELinux

Here's the situation: We've filed the bug reports. We've shown that it leaks the base addresses for mmap randomization. It's plain as day to see: run the suid app with LD_DEBUG=all multiple times, and you'll see the library addresses, which will be different each time. Jakub Jelinek's reply has been that it "doesn't leak specific symbol addresses." I'm not sure he understands that if you have information about the mmap base, you can easily calculate a specific symbol address from it. We've shown him another environment variable that does leak specific addresses, and his only reply has been "maybe we should fix this." I've not seen a fix announced yet. That was months ago: they've released updated glibc packages since then not containing any of these fixes.

What do you do when the person in control of the code is too stupid and stubborn to fix his own bugs? Is it my job to hold the hand of this jerk who is too concerned with being a smart-ass to fix his own bugs?

(Log in to post comments)

Civilizing SELinux

Posted Nov 26, 2004 5:52 UTC (Fri) by bluefoxicy (guest, #25366) [Link]

If I can LD_DEBUG=all and run a program, I can find the libraries it uses and find the symbols at offsets, and calculate that. You are indeed correct about this.

I also read that LAZY binding allows you to block STDOUT at critical points and exploit race conditions on infinite windows instead of milisecond-wide windows.

I for one am glad that Gentoo has a dedicated security team that either creates or abducts any patches that fix ANY security concern, rather than wander around and go "huh that might not really be a problem maybe we shouldn't change it . . . ."

bluefox@icebox ~/data/programming/woct $ LD_DEBUG=all su
Password:

You said something about posting to BugTraq about some of these vulns. Has nobody done this? It may not be the best way to get in bed with them, but if there's a security issue that *needs* *to* *be* *fixed*, it may just be time to hit them in the face with the frying pan of reality. Then again, I don't know; I'm too busy playing FF8 to think about this right now.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds