On 12/06/2013 02:57 PM, Reindl Harald wrote:
Am 06.12.2013 14:08, schrieb Ralf Corsepius:
On 12/06/2013 10:43 AM, Reindl Harald wrote:
Am 06.12.2013 10:37, schrieb Ralf Corsepius:
IMO, -Wformat-security is almost negibile in comparison to these and you
are making way too much noise about it than it deserves.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=format+string [*]
Yeah, a vulnerability - So what?
I'd guess the number and severity of vulnerabilities caused by TmpOnTmpfs
how should TmpOnTmpfs cause a vulerability?
the opposite is true
TmpOnTmpfs is magitudes smaller than a traditional /tmp on /
yes, i am also not a fan of this default, see the list-archives
people who know and care about tmpfs did it long ago for their workloads
the improved performance is a urban legend for common workloads
This causes programs/packages which are assuming an "almost infinitely sized /tmp" to easily
fill up a small /tmp, and thus the system to choke.
which is not really a *security* problem
In first place it's a denial of service problem. Once /tmp is filled up
all kind of weird issues pop up and are causing all kind of malfunctions.
2 Real world examples I've encountered with fedora 18 and 19:
* https://bugzilla.redhat.com/show_bug.cgi?id=971878
This one usually kills an individual's system.
see my comment https://bugzilla.redhat.com/show_bug.cgi?id=971878#c1
still not a security problem per se
Correct, it's a DOS problem.
* https://bugzilla.redhat.com/show_bug.cgi?id=1006658
This means one means using "convert" on webserver allows arbitrary users on the web to kill servers
if arbitary users are allowed to call CLI applications from a webserver
?!? Calling cli-tools underneath of webservices is the norm on many
webservers. Often these calls are wrapped into scripting languages, be
they perl, python or php.
you have a security problem and that is for sure *not* TmpOnTmpfs
TmpOnTmpfs opens opportunities for DOS attacks which do not exist with
TmpOnFS.
Ralf
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct