This is the mail archive of the libstdc++@gcc.gnu.org mailing list for the libstdc++ project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Alleged libstdc++ vulnerabilities

From: Jonathan Wakely <jwakely dot gcc at gmail dot com>
To: Florian Weimer <fweimer at redhat dot com>
Cc: "libstdc++" <libstdc++ at gcc dot gnu dot org>, oss-security at lists dot openwall dot com
Date: Fri, 14 Aug 2015 19:08:41 +0100
Subject: Re: Alleged libstdc++ vulnerabilities
Authentication-results: sourceware.org; auth=none
References: <55CE2A12 dot 6020909 at redhat dot com> <CAH6eHdRuW7F_xJNUjj0cvd2eU38xg9eWUKm4a=PYwuFCqibgfA at mail dot gmail dot com>

On 14 August 2015 at 18:55, Jonathan Wakely wrote:
> On 14 August 2015 at 18:49, Florian Weimer wrote:
>> Does anybody know what this is about and can point to the relevant PRs?
>>
>> âdiscovered serious security bugs in [â] libstdc++â
>>
>> <http://www.news.gatech.edu/2015/08/13/georgia-tech-finds-11-security-flaws-popular-internet-browsers-using-new-analysis-method>
>>
>> The USENIX paper
>> <https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lee.pdf>
>> does not back up this claim.
>
> The paper abstract says "discovered 11 previously unknown security vulnera-
> bilities: nine in GNU libstdc++ and two in Firefox, all of which have
> been confirmed and subsequently fixed by vendors. "
>
> I guess they are referring to https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63345

And FWIW most of the "fixes" they suggested were just nonsense.

References:
- Alleged libstdc++ vulnerabilities
  - From: Florian Weimer
- Re: Alleged libstdc++ vulnerabilities
  - From: Jonathan Wakely

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]