[Pkg-scicomp-devel] Bug#441478: [ptb at inv.it.uc3m.es: Bug#441478: libglpk0: security flaw buffer overflow in glplib05.c xvprintf]

Rafael Laboissiere rafael at debian.org
Fri Sep 14 21:33:55 UTC 2007


* Rafael Laboissiere <rafael at debian.org> [2007-09-14 20:50]:

> * Andrew Makhorin <mao at gnu.org> [2007-09-14 15:04]:
> 
> > > Even though _glp_lib_xprintf is not declared in glpk.h, it is available in
> > > libglpk.so and malicious programs *_can_* be written that could exploit the
> > > vulnerability.
> >     
> > I see no way how to hide such internal routines from the linker.
> 
> I do not know either.

Actually, there is a way to circumvent the problem.  It is quite ugly and I
am not sure you would like to implement it.  Here is it: make the functions
xprintf and xprint1 both static, and move them, together with xvprintf, into
a header file (.h) which will be included by all other files calling xprintf
or xprint1.  The only side effect is that the resulting shared library will
increase in size.

-- 
Rafael





More information about the Pkg-scicomp-devel mailing list