Hi all, While testing a recent libuv package, I suddenly realized that when building via autotools, all assert() sparkled in libuv source are effectively armed. This differs from building via GYP, which offers a "Release" target where NDEBUG is defined. Some other portions of libuv also check on NDEBUG presence/absence.
Some well-known daemons (eg, BIND and OpenLDAP) have been recently plagued by a series of DoS, due to armed asserts reachable by specifically crafted input. At a first glance, some of libuv asserts may be triggerable with some malicious input (eg. a NULL path in most of uv_fs_*()), causing the main application to abort. As such, as a packager I have now the following comments: * should NDEBUG be defined also when building via autotools? * perhaps it would be better to review the usage of asserts and replace most of them with error signaling to app. Cheers, Luca -- .''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso) : :' : The Universal O.S. | lucab (AT) debian.org `. `'` | GPG: 0xBB1A3A854F3BBEBF `- http://www.debian.org | Debian GNU/Linux Developer -- You received this message because you are subscribed to the Google Groups "libuv" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/libuv. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: This is a digitally signed message part.
