[Pkg-scicomp-devel] Bug#441478: [ptb at inv.it.uc3m.es: Bug#441478: libglpk0: security flaw buffer overflow in glplib05.c xvprintf]
Andrew Makhorin
mao at gnu.org
Fri Sep 14 11:04:54 UTC 2007
>> _glp_lib_xprintf is *not* api routine and formally being not declared
>> in glpk.h it is not available to the user.
> Unfortunately, this is not the case. The following works here with GLPK
> 4.21:
> $ cat test.c
> main () { _glp_lib_xprintf ("Ouch!\n"); }
> $ gcc test.c -o test -lglpk
> $ ./test
> Ouch!
> Even though _glp_lib_xprintf is not declared in glpk.h, it is available in
> libglpk.so and malicious programs *_can_* be written that could exploit the
> vulnerability.
I see no way how to hide such internal routines from the linker.
I just follow some recommendations given in the GNU Coding Standards
http://www.gnu.org/prep/standards/standards.html (Section 4.3 Library
Behavior):
External symbols that are not documented entry points for the
user should have names beginning with _. The _ should be
followed by the chosen name prefix for the library, to prevent
collisions with other libraries. These can go in the same files
with user entry points if you like.
More information about the Pkg-scicomp-devel
mailing list