On Mon, Apr 11, 2011 at 03:32:15PM -0400, Leonid Flaks wrote:
> >And if that's the goal and the libgomp.so.3 that's distributed with Coot is
> That should be libgmp, libgomp.
Natch.
> And now once this vulnerability is well documented on a public list, a
> very talented teenager from (put any country name here) will put some
> code up to exploit it - just give google crowler a few days to index the
> list. After that it would not matter if you use selinux or not. What
> would matter is if you use this broken library or not.
There's no guarantee that there's insecure code in libgmp, so I don't think
it qualifies as a vulnerability.
As a possibly strange data point, none of the libgmp.so.3.4.4 libraries
distributed with the versions of Coot that I have installed require execstack:
$ sblocate -p libgmp.so.3.4.4 | grep i386-linux/coot | xargs -n 1 execstack -q
- /programs/i386-linux/coot/0.6.1/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.1-x86_64/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3291-x86_64/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3291-x86_64-rh4/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3334/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3334-x86_64/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3440/lib/libgmp.so.3.4.4
- /programs/i386-linux/coot/0.6.2-pre-1-r3440-x86_64/lib/libgmp.so.3.4.4
-ben
--
| Ben Eisenbraun
| SBGrid Consortium | http://sbgrid.org |
| Harvard Medical School | http://hms.harvard.edu |
|