On Sun, Nov 09, 2003 at 08:16:35AM +1100, Russell Coker wrote:
> On Fri, 7 Nov 2003 12:57, Yven Johannes Leist wrote:
> > Well, I for one would love to see a security announcement one day, which
> > contains something like:
> >
> > "All users running the standard Debian kernel are not affected, sin
On Fri, 7 Nov 2003 12:57, Yven Johannes Leist wrote:
> Well, I for one would love to see a security announcement one day, which
> contains something like:
>
> "All users running the standard Debian kernel are not affected, since the
> special security features the Debian kernel contains prevent the
On Fri, Nov 07, 2003 at 12:15:06PM +0100, [EMAIL PROTECTED] wrote:
| > I suspect we both agree that it's desirable to have thread stacks
| > non-executable as well.
|
| on one hand you acknowledge that it's better to have non-exec thread
| stacks but on the other hand you argued that
|
| > it's
> "The test incorrectly assumes that thread stacks are executable" is not
> equivalent to "thread stacks are non-executable". And there's no conflict
> in what i say above.
ok, i was quoting too much and you interpreted the wrong part. the bit
i was referring to is this:
> I suspect we both agree
Scripsit Yven Johannes Leist <[EMAIL PROTECTED]>
> Well, I for one would love to see a security announcement one day, which
> contains something like:
>
> "All users running the standard Debian kernel are not affected, since the
> special security features the Debian kernel contains prevent th
On Wednesday 05 November 2003 07:28, Graham Wilson wrote:
> On Wed, Nov 05, 2003 at 02:49:39AM +0100, Ingo Molnar wrote:
> > On Tue, 4 Nov 2003 [EMAIL PROTECTED] wrote:
> > > [...]
> >
> > [...]
>
> Please, guys, don't have your discussion here. I don't think we really
> care about the differences
On Thu, 6 Nov 2003 [EMAIL PROTECTED] wrote:
> > The test incorrectly assumes that thread stacks are executable. I suspect
> > we both agree that it's desirable to have thread stacks non-executable as
> > well.
>
> while i agree with you on this one, it is in stark contrast to what you
> said ear
> > It is in fact a simulation of a multithreaded application. [...]
>
> The test incorrectly assumes that thread stacks are executable. I suspect
> we both agree that it's desirable to have thread stacks non-executable as
> well.
while i agree with you on this one, it is in stark contrast to wha
> > [...] randomization serves NO purpose in the grand scheme, it does not
> > provide guaranteed protection against the PaX attack model (arbitrary
> > read/write access to the address space). [...]
>
> there's another, practical aspect of address-space randomization which i
> find to be the most
On Thu, 6 Nov 2003 [EMAIL PROTECTED] wrote:
> > there's nothing wrong about an executable stack though. It's been part of
> > Linux ever since.
>
> the brk() managed heap has also been executable. yet you break apps that
> assume so (the ominous XFree86 server would also use the brk() managed
>
On Thu, 6 Nov 2003 [EMAIL PROTECTED] wrote:
> [...] incidentally, if i were to make use of PT_GNU_STACK in PaX, i
> could claim the same - now what was your point of fighting this silly
> issue?
yes, this was precisely my point to discuss this issue. Executability of
the stack is not some divine
> You are trying to make a big fuss about this for no good reason.
Ingo, please. it was *you* who objected to PaX's default enforcement
policy because it broke Linus's rule. yet you did the same with your
own default *and* contested the fact that you hadn't broken anything.
i don't have a problem
On Thu, 6 Nov 2003 [EMAIL PROTECTED] wrote:
> > actually, unmodified XFree86 works just fine. It will have an executable
> > stack but it will work out of box - so no app was broken.
>
> false! my unmodified X server (gentoo) dies with the following core
> when trying to run it under [1]:
you n
> > [...] also, you did break userland yourself as well, otherwise how would
> > you explain the patches RedHat made to the XFree86 server?
>
> actually, unmodified XFree86 works just fine. It will have an executable
> stack but it will work out of box - so no app was broken.
false! my unmodified
On Wed, 5 Nov 2003 [EMAIL PROTECTED] wrote:
> [...] also, you did break userland yourself as well, otherwise how would
> you explain the patches RedHat made to the XFree86 server?
actually, unmodified XFree86 works just fine. It will have an executable
stack but it will work out of box - so no a
On Wed, 5 Nov 2003 [EMAIL PROTECTED] wrote:
> > non-executable pages on anything else but i386 is a triviality, as the
> > hardware and the kernel supports it. There's virtually nothing that PaX or
> > exec-shield has to add to enable them - they are there.
You are right that the other architect
On Wed, 5 Nov 2003, Peter Busser wrote:
> It is in fact a simulation of a multithreaded application. [...]
The test incorrectly assumes that thread stacks are executable. I suspect
we both agree that it's desirable to have thread stacks non-executable as
well.
> I objected to adding tests that
On Wed, 5 Nov 2003 [EMAIL PROTECTED] wrote:
> > > glibc creates executable thread stacks by default. [...]
> >
> > to the contrary, glibc does this:
> > [snip]
> > $ rpm -q glibc
> > glibc-2.3.2-101
>
> that's what RedHat's glibc does. [...]
yes. The changes are in mainline glibc, everyone
On Wed, 5 Nov 2003, Peter Busser wrote:
> And after all, if exec-shield is being included in the Debian default kernel
> source, then you are talking about the pride of a 1000 developers that are at
> stake here. That is not something you should take lightly if you ask me. :-)
You mean the single
Hi!
> > this intentionally calls mprotect(PROT_EXEC) for the highest possible
> > address one can think of. This call has no useful purpose at all. In other
> > words, this is a specific, underhand cheat to trigger 'Vulnerable'
> > messages for all items when running paxtest on exec-shield kernels
> >first of all, it's multithreaded. [...]
>
> paxtest does not link to libpthread, nor does it create threads, at all.
> How can you claim it's multithreaded?
i did not. if you quote my post like this:
>let me get back to the topic of java as i promised above. java
>is a nice animal
On Wed, 5 Nov 2003 [EMAIL PROTECTED] wrote:
> > i downloaded the new 0.9.5 paxtest package and amongst other changes it
> > has the following oneliner change:
[...]
> > + do_mprotect((unsigned long)argv & ~4095U, 4096,
> > PROT_READ|PROT_WRITE|PROT_EXEC);
>first of all, it's multi
[metanote: as you can see, we're entering the meta-discussion part
and i can very well understand that it's of little if any interest
to most you (that includes me btw), so i'll try not to post more
here except maybe to discuss technical issues]
> > 1. 'It seems that exec-shield does 99% of what P
On Wed, Nov 05, 2003 at 12:28:51AM -0600, Graham Wilson wrote:
> On Wed, Nov 05, 2003 at 02:49:39AM +0100, Ingo Molnar wrote:
> > On Tue, 4 Nov 2003 [EMAIL PROTECTED] wrote:
> > > [...]
> > [...]
>
> Please, guys, don't have your discussion here. I don't think we really
> care about the difference
On Wed, Nov 05, 2003 at 12:28:51AM -0600, Graham Wilson wrote:
| Please, guys, don't have your discussion here. I don't think we really
| care about the differences between PaX and exec-shield. Debian is not,
| and, to the best of my knowledge, will not, choose one for its kernels,
| so there is n
On Wed, Nov 05, 2003 at 02:49:39AM +0100, Ingo Molnar wrote:
> On Tue, 4 Nov 2003 [EMAIL PROTECTED] wrote:
> > [...]
> [...]
Please, guys, don't have your discussion here. I don't think we really
care about the differences between PaX and exec-shield. Debian is not,
and, to the best of my knowledg
On Tue, 4 Nov 2003 [EMAIL PROTECTED] wrote:
> second, paxtest had some bugs which Exec-Shield exposed and made
> Exec-Shield appear better than it is. i've fixed them here and
> expect to release 0.9.5 today or so. the results now look like:
i downloaded the new 0.9.5 paxtest package and a
On Tue, 4 Nov 2003 [EMAIL PROTECTED] wrote:
> since a few points have been made regarding $subject, let me clear
> up a few of them:
>
> 1. 'It seems that exec-shield does 99% of what PaX does'
this is not the case and i'm not claiming it. If you feel attacked, please
dont - i'll stipulate that
28 matches
Mail list logo
