Am 06.12.2013 14:08, schrieb Ralf Corsepius: > On 12/06/2013 10:43 AM, Reindl Harald wrote: >> >> Am 06.12.2013 10:37, schrieb Ralf Corsepius: >>>>> IMO, -Wformat-security is almost negibile in comparison to these and you >>>>> are making way too much noise about it than it deserves. >>>> >>>> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*] >>> >>> Yeah, a vulnerability - So what? >>> >>> I'd guess the number and severity of vulnerabilities caused by TmpOnTmpfs >> >> how should TmpOnTmpfs cause a vulerability? >> the opposite is true > > TmpOnTmpfs is magitudes smaller than a traditional /tmp on / yes, i am also not a fan of this default, see the list-archives people who know and care about tmpfs did it long ago for their workloads the improved performance is a urban legend for common workloads > This causes programs/packages which are assuming an "almost infinitely sized /tmp" to easily > fill up a small /tmp, and thus the system to choke. which is not really a *security* problem that's why you should have not listed it in that context > 2 Real world examples I've encountered with fedora 18 and 19: > * https://bugzilla.redhat.com/show_bug.cgi?id=971878 > This one usually kills an individual's system. see my comment https://bugzilla.redhat.com/show_bug.cgi?id=971878#c1 still not a security problem per se > * https://bugzilla.redhat.com/show_bug.cgi?id=1006658 > This means one means using "convert" on webserver allows arbitrary users on the web to kill servers if arbitary users are allowed to call CLI applications from a webserver you have a security problem and that is for sure *not* TmpOnTmpfs
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct