Re: O: libsafe -- Protection against buffer overflow vulnerabilities

To: Martin Michlmayr <tbm@cyrius.com>
Cc: Matthias Klose <doko@cs.tu-berlin.de>, debian-devel@lists.debian.org
Subject: Re: O: libsafe -- Protection against buffer overflow vulnerabilities
From: Shaul Karl <shaulka@bezeqint.net>
Date: Mon, 31 Dec 2001 00:53:29 +0200
Message-id: <[🔎] E16Kopg-00071F-00@rakefet>
In-reply-to: Message from Martin Michlmayr <tbm@cyrius.com> of "Sun, 30 Dec 2001 21:58:19 +0100." <[🔎] 20011230215819.A22963@fisch.cyrius.com>
References: <[🔎] 15403.6573.232115.816979@gargle.gargle.HOWL> <[🔎] Pine.LNX.4.21.0112271416450.2065-100000@neo.rademaker.dhs.org> <[🔎] 20011230215819.A22963@fisch.cyrius.com>

Although I do not want to adopt it I have prepared an NMU based on 
Yotam's work.
The changelog is:

libsafe (2.0-9-1) unstable; urgency=low

  * New upstream release. Closes: Bug#118786
  * Removed dependency on ldso. Closes: Bug#117339
  * libsafe no longer maintains its own implementation of libc routines.
    Closes: Bug#122640, Bug#122706, Bug#77949, Bug#104116
  * libsafe should now work properly with glibc: example exploits no
    longer work. Closes: Bug#92336
  * Added libsafe wrapper. Closes: Bug#126421
  * Example exploits are no longer executable by default.
  * All the above was done by Yotam Rubin <yotam@makif.omer.k12.il> who
    is waiting for DAM approval.
  * s/\(DESTDIR[[:space:]]*= \)/\1`pwd`\/..\/debian\/tmp\// 
src/makefile.
  * s/\($(DESTDIR)\/usr\)/\1\/share/ src/makefile.
  * Added a Build-Depends: debhelper line.
  * Non-maintainer upload due to the long time this package has not
    been uploaded and the maintainer just orphaning it. 

 -- Shaul Karl <shaul@debian.org>  Mon, 31 Dec 2001 00:42:21 +0200


Should I upload it?


> Package: wnpp
> Severity: normal
> 
> The current maintainer of libsafe, Ron Rademaker <ron@wep.tudelft.nl>,
> has orphaned this package.  If you want to be the new maintainer,
> please take it -- retitle this bug from 'O:' to 'ITA:', fix the
> outstanding bugs and upload a new version with your name in the
> Maintainer: field and a
> 
>    * New maintainer (Closes: #thisbug)
> 
> in the changelog so this bug is closed.
> 
> 
> Some information about this package:
> 
> Package: libsafe
> Priority: optional
> Section: libs
> Installed-Size: 256
> Maintainer: Ron Rademaker <ron@wep.tudelft.nl>
> Architecture: i386
> Version: 1.3-6
> Depends: libc6 (>= 2.1.2), ldso (>= 1.8.5)
> Suggests: ldso (>= 1.9.0), ld.so.preload-manager (>= 0.1)
> Filename: pool/main/libs/libsafe/libsafe_1.3-6_i386.deb
> Size: 147848
> MD5sum: 5902ee9bca4d0d22b637a06f940e0ecc
> Description: Protection against buffer overflow vulnerabilities
>  Libsafe is a library that works with any pre-compiled executable and can be
>  used transparently. Libsafe intercepts calls to functions known as
>  vulnerable, libsafe uses a substitute version of the function that
>  implements the same functionality, but makes sure any buffer overflows are
>  contained within the current stack frame.
> 
> 
> 
> * Ron Rademaker <ron@wep.tudelft.nl> [20011227 14:17]:
> > You're right that I haven't done anything about libsafe where I should
> > have...
> > 
> > I guess the best thing to do right now is put libsafe up for adoption.
> 
> > On Thu, 27 Dec 2001, Matthias Klose wrote:
> > 
> > > Yotam Rubin writes:
> > > > Greetings,
> > > > 
> > > > 	The last libsafe upload has been over a year ago. Since then, libsafe
> > > > has accumulated a large number of bugs. The current Debian release doesn't
> > > > seem to be very effective. I've packaged the latest libsafe and made it 
> > > > available at: http://192.117.130.34/Fendor/debian/libsafe/
> > > > Can someone NMU that? I've contacted the maintainer but received no reply.
> > > > It's a shame that libsafe wouldn't be usable for Debian users.
> > > 
> > > - the upload isn't marked as a NMU
> > > 
> > > - the package does not build from source (calls ldconfig):
> > > 
> > > - the package does not build a -dev package. Correct?
> > > 
> > > - the package overwrites the old library? Correct, if it's an
> > >   extension only. But then it needs to be marked in the shlibs file.
> > >   Else you need to build a libsafe2 and libsafe-dev package.
> > >   OTOH, no package depends on libsafe.
> > > 
> > > So it seems, we don't gain much to replace one buggy version with the
> > > next buggy version.
> 
> > -- 
> > To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> > 
> 
> -- 
> Martin Michlmayr
> tbm@cyrius.com
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 

    Shaul Karl
    email: shaulka(at-no-spam)bezeqint.net 
           Please replace (at-no-spam) with an at - @ - character.
           (at-no-spam) is meant for unsolicitate mail senders only.

Reply to:

References:
- Re: Request to NMU libsafe
  - From: Matthias Klose <doko@cs.tu-berlin.de>
- Re: Request to NMU libsafe
  - From: Ron Rademaker <ron@wep.tudelft.nl>
- O: libsafe -- Protection against buffer overflow vulnerabilities
  - From: Martin Michlmayr <tbm@cyrius.com>

Prev by Date: Re: Bug#126750: klogd should optionally be started from init(8)
Next by Date: Re: at least 260 packages broken on arm, powerpc and s390 due to wrong assumption on char signedness
Previous by thread: O: libsafe -- Protection against buffer overflow vulnerabilities
Next by thread: Re: Request to NMU libsafe
Index(es):
- Date
- Thread