owl/openwall patches

Robert Connolly robert at linuxfromscratch.org
Tue Aug 8 01:21:47 PDT 2006

Hi. Owl/Openwall have a large assortment of security related patches for just 
about every package.

For starters Owl has a patch for Gzip which cleans up the gzexe.in and 
zdiff.in shell scripts. For example, the vanilla Gzip does not remove 
tempfiles it created if gzip fails to decompress a file, the Owl patch 
removes the temp file before exiting the script if gzip fails. /bin/mktemp is 
added to the gzip scripts by the patch too, rather than using non-random temp 
files. Our mktemp is installed to /usr/bin, so either move mktemp to /bin or 
adjust the patch. There are a couple other modifications too. The name of the 
patch is "gzip-1.3.5-openbsd-owl-tmp.patch" if any of you want to take a look 
at it. It's not a critical patch, but I think it would be a good idea to add 
it to the book.

There's patch for Glibc named "glibc-2.3.5-owl-alt-sanitize-env.diff". This 
patch does aggressive sterilization of the environment while running programs 
linked to libc. This patch is half-critical. This patch helps prevent 
environment based exploits. Ncurses has a patch to use the new functions 
added by the sanitize-env patch.

Another Glibc patch, "glibc-2.3.5-openbsd-strlcpy-strlcat.diff", adds safer 
replacements to strncpy and strncat. Drepper and Linus have both commented on 
the strlcpy and strlcat functions. Drepper does not think they're suitable 
for Glibc because programmers should use strncpy and strncat properly. Linus 
has added strlcpy and strlcat functions to the kernel libraries. Having the 
attitude of 'it's better to be safe than sorry', it would be good to use 
these functions. These functions help prevent buffer overflows. Many packages 
check for strncpy and strncat during configure to see if they can be used.

There are also several other Glibc patches that are worth adding to HLFS, not 
to mention the blowfish crypt functions. And several patches to correct GCC 
warnings in some packages.

Off topic: From what I gather mktemp is used in Binutils because its 
portable... every system has mktemp. There are a couple patches on google 
which add mkdtemp/mkstemp to Binutils to not only remove the compiler 
warnings, but also use better temp filenames.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20060808/946f8919/attachment.sig>

More information about the hlfs-dev mailing list