Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

To: debian-devel@lists.debian.org
Subject: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
From: Thorsten Glaser <tg@mirbsd.de>
Date: Wed, 25 Sep 2013 11:43:22 +0000 (UTC)
Message-id: <[🔎] loom.20130925T134128-696@post.gmane.org>
References: <[🔎] 20130920190537.GZ27621@onerussian.com> <[🔎] 20130921051216.GN5094@outflux.net> <[🔎] 20130921124634.GX21512@fmf.nl> <[🔎] 20130921150813.GA21253@outflux.net> <[🔎] loom.20130924T134453-638@post.gmane.org> <[🔎] 87bo3imcj2.fsf@windlord.stanford.edu>

Russ Allbery <rra <at> debian.org> writes:

> (consider resource exhaustion errors in the crypt implementation, for

No, the standard said it would either always fail or never, but independent
on the input data.

> Your proposed solution on libc-alpha was ingenious, but I think it breaks
> the crypt contract in even more serious ways, since it means that crypt
> could now return a string matching the disabled password field in

No, it cannot, because you pass the “password field” as seed, hence
the comparison: if the password field is disabled by ‘*’ you get ‘x’,
if it’s disabled by ‘x’ got get ‘*’. It always returns something not
matching.

And prevents serious security issues in legacy code (which, by the
way, often predates the standard and thus is allowed to not follow
it).

bye,
//mirabilos

Reply to:

Follow-Ups:
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Russ Allbery <rra@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Bastian Blank <waldi@debian.org>

References:
- think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Yaroslav Halchenko <debian@onerussian.com>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Kees Cook <kees@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Bas Wijnen <wijnen@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Kees Cook <kees@debian.org>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Thorsten Glaser <tg@mirbsd.de>
- Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Upcoming changes in Tcl/Tk packaging
Next by Date: Re: Bits from the Release
Previous by thread: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Next by thread: Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Index(es):
- Date
- Thread