Re: StackGuard

To: debian-devel@lists.debian.org
Subject: Re: StackGuard
From: David Welton <davidw@gate.cks.com>
Date: Mon, 9 Nov 1998 12:38:43 -0800
Message-id: <[🔎] 19981109123843.C3731@gate.cks.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 19981109153108.A30276@worldvisions.ca>; from Avery Pennarun on Mon, Nov 09, 1998 at 03:31:08PM -0500
References: <[🔎] Pine.LNX.3.96.981109093058.4981A-100000@arena.sci.univr.it> <[🔎] 19981109115548.A25102@wi.leidenuniv.nl> <[🔎] 19981109153108.A30276@worldvisions.ca>

On Mon, Nov 09, 1998 at 03:31:08PM -0500, Avery Pennarun wrote:

> Actually, only daemons running as root, and setuid programs would
> need to be compiled with stackguard.  Other programs are just as
> vulnerable to stack overflows, but there's not much point in me
> crashing my own copy of ls :)

> Now, how many daemons are still around that run as root... as few as
> possible :)

You also have to look at what programs root runs on tainted data.
Remember the big fiasco with 'update' or whatever it was a while ago?
Didn't it turn out to be 'find' or something?  Don't recall the
specifics, but it certainly wasn't an suid program.

I concur with the idea that it should be looked upon as a port.

-- 
David Welton                          http://www.efn.org/~davidw 

	Debian GNU/Linux - www.debian.org

Reply to:

Follow-Ups:
- Re: StackGuard
  - From: Kalle Niemitalo <tosi@ees2.oulu.fi>

References:
- StackGuard
  - From: Enrico Cherubini <kevin@arena.sci.univr.it>
- Re: StackGuard
  - From: "J.H.M. Dassen \(Ray\)" <jdassen@wi.leidenuniv.nl>
- Re: StackGuard
  - From: Avery Pennarun <apenwarr@worldvisions.ca>

Prev by Date: Re: libgtop0 ==> libgtop1?
Next by Date: Re: Use of Debian revision in an upstream-maintained Debian package
Previous by thread: Re: StackGuard
Next by thread: Re: StackGuard
Index(es):
- Date
- Thread