This patch has been recently announced in bugtraq and might be also relevant.
Aside from providing these patches at debian/patches, is there any way they could be applied to the stock gcc-3.3 package? As I understand it, in order for these to be activated sources need to be compiled with an explicit option. What harm is there in patching Debian's gcc-3.3? Any known issues in some of our supported platforms? Regards Javi -------- Original Message -------- Subject: [ANNOUNCE] glibc heap protection patch Date: Mon, 1 Dec 2003 11:31:03 -0800 From: William Robertson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], bugtraq@securityfocus.com, focus-ids@securityfocus.com Hi all, I'd just like to announce that we have a heap protection system for glibc available for download. The system detects and prevents all heap overflow exploits that modify inline control information from succeeding against a protected application, can be installed system-wide or on a per-process basis using LD_PRELOAD, and is transparent to existing applications. We would definitely appreciate any feedback and bug reports on the code. The patch and some additional information is available at: http://www.cs.ucsb.edu/~wkr/projects/heap_protection/ Enjoy! -- William Robertson Reliable Software Group, UC Santa Barbara http://www.cs.ucsb.edu/~wkr/
signature.asc
Description: Digital signature
