Bug#233208: Patch effectiveness

To: 233208@bugs.debian.org
Subject: Bug#233208: Patch effectiveness
From: Steve Kemp <skx@debian.org>
Date: Mon, 23 Feb 2004 08:22:06 +0000
Message-id: <[🔎] 20040223082205.GA536@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>, 233208@bugs.debian.org

  As well as showing how well the compiler works for the i386 platform
 I have a list of all the my recent DSA's and a comment on whether
 the SSP compiler would have prevented exploitation.

  The table can be found here:

  	http://shellcode.org/Advisories/

  The short version is that 16 out of the previous 21 DSA's which I've
 been responsible for would have become unexploitable had the relevent
 packages been compiled with an SSP-enabled compiler.

  I accept that the patch probably won't be enabled until it's been
 tested more - but it's a catch 22 situation, most archs won't get more
 testing until it's been enabled!

  FWIW I believe enabling it, but having the protection default to off
 is the correct solution.  After sarge.

-- 
Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/

Reply to:

Prev by Date: [Bug c++/13549] Problem compiling Boost.Python test
Next by Date: Bug#234333: g77-3.3: broken symlink for libg2c-pic.so
Previous by thread: [Bug c++/13549] Problem compiling Boost.Python test
Next by thread: Bug#234333: g77-3.3: broken symlink for libg2c-pic.so
Index(es):
- Date
- Thread