This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow


On 02/17/2016 05:20 PM, Mike Frysinger wrote:
> On 17 Feb 2016 16:43, Carlos O'Donell wrote:
>> It's a very good idea. I think we should stack protect libresolv, libdl,
>> nscd, etc, and we do already. Extending that is only going to be a good
>> thing.
> 
> on a related note, seems like nscd should take advantage of seccomp &
> namespaces when available.  that would also significantly mitigate on
> systems.  any reason to not ?

I see no reason why not. We would have to test for the availability of
that functionality in as old a kernel as we support running on, but
as newer kernels are booted the features should just turn on automatically.

For now we've just been using SELinux in nscd to restrict the damage the
daemon could do, but it could potentially be restricted even further.

Cheers,
Carlos.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]