Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

To: debian-devel@lists.debian.org
Subject: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
From: Russ Allbery <rra@debian.org>
Date: Tue, 24 Sep 2013 09:04:33 -0700
Message-id: <[🔎] 87bo3imcj2.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] loom.20130924T134453-638@post.gmane.org> (Thorsten Glaser's message of "Tue, 24 Sep 2013 11:51:25 +0000 (UTC)")
References: <[🔎] 20130920190537.GZ27621@onerussian.com> <[🔎] 20130921051216.GN5094@outflux.net> <[🔎] 20130921124634.GX21512@fmf.nl> <[🔎] 20130921150813.GA21253@outflux.net> <[🔎] loom.20130924T134453-638@post.gmane.org>

Thorsten Glaser <tg@mirbsd.de> writes:

> The glibc people decision to return NULL in crypt(3) has led to several
> (plural) CVEs in other software, such as cyrus-sasl2 and xlockmore,
> already and breaks the GNU CVS testsuite.

crypt returning NULL transforms various obscure but more serious problems
into a denial of service attack (dereferencing a NULL pointer).  I think
it's movement in the right direction.  Yes, it required changes in the
downstream users to fix handling of a NULL return, but POSIX already said
that a NULL return was possible, so those were existing latent bugs
(consider resource exhaustion errors in the crypt implementation, for
example).  It's a simple failure, as opposed to the more obscure failures
possible with the previous implementation.

This change also sets us up for a possible future where we decide that DES
is sufficiently insecure that we want to refuse to ever use a DES hash.

Your proposed solution on libc-alpha was ingenious, but I think it breaks
the crypt contract in even more serious ways, since it means that crypt
could now return a string matching the disabled password field in
/etc/shadow.  I bet there's at least one program out there that would then
let people authenticate to locked accounts.  It's at least extremely
surprising and not clearly better than returning NULL.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Thorsten Glaser <tg@mirbsd.de>

References:
- think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Kees Cook <kees@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Bas Wijnen <wijnen@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Kees Cook <kees@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Thorsten Glaser <tg@mirbsd.de>

Prev by Date: Bug#724506: ITP: libcgi-expand-perl -- convert flat hash to nested data using TT2's dot convention
Next by Date: Re: Roll call for porters of architectures in sid and testing
Previous by thread: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Next by thread: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Index(es):
- Date
- Thread