Re: FTBFS if "-Werror=format-security" flag is used

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 06.12.2013 14:08, schrieb Ralf Corsepius:
> On 12/06/2013 10:43 AM, Reindl Harald wrote:
>>
>> Am 06.12.2013 10:37, schrieb Ralf Corsepius:
>>>>> IMO, -Wformat-security is almost negibile in comparison to these and you
>>>>> are making way too much noise about it than it deserves.
>>>>
>>>> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*]
>>>
>>> Yeah, a vulnerability - So what?
>>>
>>> I'd guess the number and severity of vulnerabilities caused by TmpOnTmpfs
>>
>> how should TmpOnTmpfs cause a vulerability?
>> the opposite is true
> 
> TmpOnTmpfs is magitudes smaller than a traditional /tmp on /

yes, i am also not a fan of this default, see the list-archives
people who know and care about tmpfs did it long ago for their workloads
the improved performance is a urban legend for common workloads

> This causes programs/packages which are assuming an "almost infinitely sized /tmp" to easily 
> fill up a small /tmp, and thus the system to choke.

which is not really a *security* problem
that's why you should have not listed it in that context

> 2 Real world examples I've encountered with fedora 18 and 19:
> * https://bugzilla.redhat.com/show_bug.cgi?id=971878
> This one usually kills an individual's system.

see my comment https://bugzilla.redhat.com/show_bug.cgi?id=971878#c1

still not a security problem per se

> * https://bugzilla.redhat.com/show_bug.cgi?id=1006658
> This means one means using "convert" on webserver allows arbitrary users on the web to kill servers

if arbitary users are allowed to call CLI applications from a webserver
you have a security problem and that is for sure *not* TmpOnTmpfs

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux