From patchwork Fri Dec 4 19:36:27 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Carlos O'Donell X-Patchwork-Id: 552872 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 6B9AE140281 for ; Sat, 5 Dec 2015 06:36:37 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=hcQhJbak; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:cc:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; q=dns; s=default; b=esY6IGorkhjU+r9j fbYRV2vg4TEr6NtkClNRNSi8bemlZp+hP1qG4NIkidOhzvKktSiAEeAnSGa7jMYr T/rqdIZLRPIBidEK1h+Db/BwEFSRgiAKgyxxIlP3nD3FIsBusNU+Y4scetFCQUQI uMl063hC9VNsDkd5M647/QVWM2g= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:subject:to:references:cc:from:message-id:date :mime-version:in-reply-to:content-type :content-transfer-encoding; s=default; bh=MxR8tp6LV/TjGGGcw1jarE zeNIo=; b=hcQhJbakU6weOx3zM35tH7x1mzcm2FF92M5+GIIQiYpWuRERY69i8y xWt/HmWzVAHEGoeOdeNyCgyG9lDZVdIcr2bxkLu/mjKgKdN7/efkE+VOh4iF4fTO 1nWWyU9oMdohyT0S2/5UJEWkmcH7KedJR1XToTieg4H7Jvmccl1MQ= Received: (qmail 41284 invoked by alias); 4 Dec 2015 19:36:31 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 41273 invoked by uid 89); 4 Dec 2015 19:36:31 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.3 required=5.0 tests=AWL, BAYES_00, SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Subject: Re: Fix nan functions handling of payload strings (bug 16961, bug 16962) To: Joseph Myers , Florian Weimer References: <565C2142.9080008@redhat.com> Cc: libc-alpha@sourceware.org From: "Carlos O'Donell" X-Enigmail-Draft-Status: N1110 Message-ID: <5661EB3B.2060507@redhat.com> Date: Fri, 4 Dec 2015 14:36:27 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: On 12/01/2015 07:50 PM, Joseph Myers wrote: > On Mon, 30 Nov 2015, Florian Weimer wrote: > >> On 11/27/2015 01:26 AM, Joseph Myers wrote: >> >>> Carlos, the NEWS entry is a consequence of what you said in >>> about >>> security+ bugs (such as this one, involving an unbounded stack >>> allocation from what could theoretically be untrusted input) getting >>> such entries. Does it seem right to you? Once the NEWS entry is >>> resolved, I intend to commit this patch. >> >>> +* The nan, nanf and nanl functions no longer have unbounded stack usage >>> + depending on the length of the string passed as an argument to the >>> + functions. Reported by Joseph Myers. >>> + >> >> I think reporters of security bugs want their bugs marked as security >> bugs. This could be achieve by putting them into a separate section, or >> adding a “SECURITY: ” prefix or something like that. > > Any other comments on the NEWS entry, supposing such a prefix to be added? The NEWS entry looks good to me. However, I agree with Florian that we need to call out the security related changes in a distinct section e.g. "Security related changes:", though I'm open to suggestions for how to name it or if it comes first or last in the list of changes. Additionally I think it would be nice to put security+ bugs in their own bug list, which involves enhancing or running a different script with query to get the list of those bugs. e.g. --- Cheers, Carlos. diff --git a/NEWS b/NEWS index cb61a3a..295d747 100644 --- a/NEWS +++ b/NEWS @@ -60,6 +60,17 @@ Version 2.23 C Library is GCC 4.7. Older GCC versions, and non-GNU compilers, can still be used to compile programs using the GNU C Library. +Security related changes: + +* The nan, nanf and nanl functions no longer have unbounded stack usage + depending on the length of the string passed as an argument to the + functions. Reported by Joseph Myers. + +* The following security bugs are resolved with this release: + + [Some other script which generates the list of security+ bugs + resolved in this release.] + * The following bugs are resolved with this release: [The release manager will add the list generated by