On 04/11/2011 03:45 PM, Ben Eisenbraun wrote:
> On Mon, Apr 11, 2011 at 03:32:15PM -0400, Leonid Flaks wrote:
>>> And if that's the goal and the libgomp.so.3 that's distributed with Coot is
>> That should be libgmp, libgomp.
> Natch.
>
>> And now once this vulnerability is well documented on a public list, a
>> very talented teenager from (put any country name here) will put some
>> code up to exploit it - just give google crowler a few days to index the
>> list. After that it would not matter if you use selinux or not. What
>> would matter is if you use this broken library or not.
> There's no guarantee that there's insecure code in libgmp, so I don't think
> it qualifies as a vulnerability.
>
> As a possibly strange data point, none of the libgmp.so.3.4.4 libraries
> distributed with the versions of Coot that I have installed require execstack:
>
> $ sblocate -p libgmp.so.3.4.4 | grep i386-linux/coot | xargs -n 1 execstack -q
> - /programs/i386-linux/coot/0.6.1/lib/libgmp.so.3.4.4
> - /programs/i386-linux/coot/0.6.1-x86_64/lib/libgmp.so.3.4.4
> - /programs/i386-linux/coot/0.6.2-pre-1-r3291-x86_64/lib/libgmp.so.3.4.4
> - /programs/i386-linux/coot/0.6.2-pre-1-r3291-x86_64-rh4/lib/libgmp.so.3.4.4
> - /programs/i386-linux/coot/0.6.2-pre-1-r3334/lib/libgmp.so.3.4.4
> - /programs/i386-linux/coot/0.6.2-pre-1-r3334-x86_64/lib/libgmp.so.3.4.4
> - /programs/i386-linux/coot/0.6.2-pre-1-r3440/lib/libgmp.so.3.4.4
> - /programs/i386-linux/coot/0.6.2-pre-1-r3440-x86_64/lib/libgmp.so.3.4.4
>
> -ben
>
> --
> | Ben Eisenbraun
> | SBGrid Consortium | http://sbgrid.org |
> | Harvard Medical School | http://hms.harvard.edu |
Ben, do you have version 3.3 of this library?
In my case binary came with both 3.3 and 3.4. Only 3.3 had this flag
set, 3.4 is good. I used rev 3455 built for CentOS -64 but with python
and gtk, same problem was on an earlier build.
--
Leonid Flaks
Phone: (631) 344-2682
Fax : (631) 344-2741
|