Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Packaging (http://www.linux-archive.org/fedora-packaging/)
-   -   Override with -D_FORTIFY_SOURCE=0 as workaround allowed? (http://www.linux-archive.org/fedora-packaging/619322-override-d_fortify_source-0-workaround-allowed.html)

"Daniel P. Berrange" 01-10-2012 09:39 AM

Override with -D_FORTIFY_SOURCE=0 as workaround allowed?
 
On Tue, Jan 10, 2012 at 11:25:39AM +0100, Robert Scheck wrote:
> Hello Tom,
>
> On Mon, 09 Jan 2012, Tom Lane wrote:
> > I think the reason this hasn't been complained of too much is that
> > it's generally better to use poll(2) instead of select(2) if your
> > program can have a lot of file descriptors open. Have the Zarafa
> > developers considered offering a poll()-based option?
>
> I have taken that topic already to Zarafa, more than void was not yet
> returned, however there is an internal developer meeting this week, I
> think.
>
> Even if they decide to rewrite the code, it's not done immediately and
> non-paid code rewrites maybe also take some time, it's similar like at
> RHEL vs. subscription, if I'm allowed to compare.
>
> Would -D_FORTIFY_SOURCE=0 be acceptable until the code is rewritten?

As Tom pointed out, if you override FD_SETSIZE with glibc, this has
no effect on the size of the 'fd_set' struct. So any attempt to
actually store a larger number of FDs will be writing outside
the bounds of the struct. ie it will be corrupting heap/stack
memory. This is the kind of flaw that leads to crashes at best,
or security exploits at worst.

Thus, IMHO, it is not acceptable to set -D_FORTIFY_SOURCE=0.
You'd be building known broken, potentially insecure binaries.

Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

Robert Scheck 01-11-2012 11:36 AM

Override with -D_FORTIFY_SOURCE=0 as workaround allowed?
 
Hello Tom,

On Mon, 09 Jan 2012, Tom Lane wrote:
> I think the reason this hasn't been complained of too much is that
> it's generally better to use poll(2) instead of select(2) if your
> program can have a lot of file descriptors open. Have the Zarafa
> developers considered offering a poll()-based option?

meanwhile, I got the reply that --enable-epoll triggers epoll(2) usage.
However I am already building with that ./configure option and thus it is
not solving the issue. Does it mean there are other select(2) overlefts?


Greetings,
Robert
--
packaging mailing list
packaging@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging


All times are GMT. The time now is 10:18 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.