* Security hole in gnu-win32-gcc
@ 1997-09-10 10:28 Daniel Kroening
1997-09-11 10:00 ` jman
0 siblings, 1 reply; 6+ messages in thread
From: Daniel Kroening @ 1997-09-10 10:28 UTC (permalink / raw)
To: gnu-win32
Hello,
I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
allocated ram is not initialised. The generated binaries thus contain
parts of the main memory of the machine compiling it. In binaries, where
uninitialied arrays are, I discovered parts of web pages and other data
of the memory. It might sound harmless, but confident documents or even
pgp secret keys might get disclosed.
Daniel Krvning
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security hole in gnu-win32-gcc
1997-09-10 10:28 Security hole in gnu-win32-gcc Daniel Kroening
@ 1997-09-11 10:00 ` jman
0 siblings, 0 replies; 6+ messages in thread
From: jman @ 1997-09-11 10:00 UTC (permalink / raw)
To: Daniel Kroening, gnu-win32
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This was found an discussed a while back you can search the ml
archive's for exact times, but nothing was ever decisive about it
other then its there an nothing can be done. I have found reboot the
win95 system an before ya do anything else as in opening a secure
document do your compiling then and only then open the secure
document.
At 07:40 PM 9/9/97 +0000, Daniel Kroening wrote:
>Hello,
>
>I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
>allocated ram is not initialised. The generated binaries thus
contain
>parts of the main memory of the machine compiling it. In binaries,
where
>uninitialied arrays are, I discovered parts of web pages and other
data
>of the memory. It might sound harmless, but confident documents or
even
>pgp secret keys might get disclosed.
>
>Daniel Krvning
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNBgjqw6ne3t4b32aEQIXdQCgwNI9qcxbIZO884lQjB3Uq4kSn6gAoNDb
OaldB/O+u6KnWeOAABhnKR2j
=t0eZ
-----END PGP SIGNATURE-----
-------------------------------------------------------
Jason L. Esman aka _Jman Owner Den Internet Services
System Admin. Network Consulting
http://www.deninc.com | (down) irc.lx.net irc.deninc.com
Email jman@lx.net or root@lx.net
Finger jman@lx.net for PGP Public Keys...
-------------------------------------------------------
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".
^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <009BA1E2.EA079D00.23009@ifk20.mach.uni-karlsruhe.de>]
* Re: Security hole in gnu-win32-gcc
[not found] <009BA1E2.EA079D00.23009@ifk20.mach.uni-karlsruhe.de>
@ 1997-09-11 0:49 ` Mikey
1997-09-11 9:20 ` David Dyck
0 siblings, 1 reply; 6+ messages in thread
From: Mikey @ 1997-09-11 0:49 UTC (permalink / raw)
To: dahms, gnu-win32
Happens even on NT if system isn't configured for C2 security.
+10% security -20% speed
Don't you love Bill?
On Thu, 11 Sep 1997 02:28:54 +0200 (METDST), you wrote:
>Hi Daniel, you wrote:
>
>: I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
>: allocated ram is not initialised. The generated binaries thus contain
>
>W95 only. Shouldn't happen under NT, else it wouldn't be C2 certified.
>
>
>Bye, Heribert (dahms@ifk20.mach.uni-karlsruhe.de)
>-
>For help on using this list (especially unsubscribing), send a message to
>"gnu-win32-request@cygnus.com" with one line of text: "help".
>
(jeffdbREMOVETHIS@netzone.com)
delete REMOVETHIS from the above to reply
Mikey
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Security hole in gnu-win32-gcc
1997-09-11 0:49 ` Mikey
@ 1997-09-11 9:20 ` David Dyck
0 siblings, 0 replies; 6+ messages in thread
From: David Dyck @ 1997-09-11 9:20 UTC (permalink / raw)
To: Mikey; +Cc: dahms, gnu-win32
Quite a while ago I read the documents that described
the test that were done for the higher level security.
It assumed that Networking must have been turned off!
It also assumed that the ability to debug programs was
also turned off.
Obviously, the didn't plan on C2 developer security :-)
On Thu, 11 Sep 1997, Mikey wrote:
> Happens even on NT if system isn't configured for C2 security.
>
> +10% security -20% speed
>
> Don't you love Bill?
>
> On Thu, 11 Sep 1997 02:28:54 +0200 (METDST), you wrote:
>
> >Hi Daniel, you wrote:
> >
> >: I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
> >: allocated ram is not initialised. The generated binaries thus contain
> >
> >W95 only. Shouldn't happen under NT, else it wouldn't be C2 certified.
> >
> >
> >Bye, Heribert (dahms@ifk20.mach.uni-karlsruhe.de)
> >-
> >For help on using this list (especially unsubscribing), send a message to
> >"gnu-win32-request@cygnus.com" with one line of text: "help".
> >
>
> (jeffdbREMOVETHIS@netzone.com)
> delete REMOVETHIS from the above to reply
> Mikey
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Security hole in gnu-win32-gcc
@ 1997-09-11 10:00 Boatwright, Charles
1997-09-12 15:56 ` Geoffrey Noer
0 siblings, 1 reply; 6+ messages in thread
From: Boatwright, Charles @ 1997-09-11 10:00 UTC (permalink / raw)
To: 'Daniel Kroening'; +Cc: 'gnu-win32@cygnus.com'
Daniel,
Before this causes all sorts of excitement to the list (again).
You can't avoid it without much ado. Even a reboot on some
PCs won't clear all memory, so the OS must supply the implementation.
This is not a ( new ) security hole. This will always happen on Win95.
NT is another story.
This security costs CPU cycles. At times it costs alot.
Memory allocation (GlobalAlloc) is much
slower, especially following a swap (I don't know the
exact reason why .... yet). Also program loading is slower.
-chuck
> ----------
> From: Daniel Kroening[SMTP:kroening@hit.handshake.de]
> Sent: Tuesday, September 09, 1997 12:40 PM
> To: gnu-win32@cygnus.com
> Subject: Security hole in gnu-win32-gcc
>
> Hello,
>
> I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
> allocated ram is not initialised. The generated binaries thus contain
> parts of the main memory of the machine compiling it. In binaries,
> where
> uninitialied arrays are, I discovered parts of web pages and other
> data
> of the memory. It might sound harmless, but confident documents or
> even
> pgp secret keys might get disclosed.
>
> Daniel Krvning
> -
> For help on using this list (especially unsubscribing), send a message
> to
> "gnu-win32-request@cygnus.com" with one line of text: "help".
>
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Security hole in gnu-win32-gcc
1997-09-11 10:00 Boatwright, Charles
@ 1997-09-12 15:56 ` Geoffrey Noer
0 siblings, 0 replies; 6+ messages in thread
From: Geoffrey Noer @ 1997-09-12 15:56 UTC (permalink / raw)
To: Boatwright Charles; +Cc: kroening, gnu-win32
Boatwright, Charles wrote:
[...]
> This is not a ( new ) security hole. This will always happen on Win95.
> NT is another story.
[...]
I just wanted to give a disclaimer which most of you hopefully assume
anyway: Cygwin32 has not been analyzed for security issues much if it all.
I would be surprised if there weren't some serious holes, although I am
not currently aware of any.
--
Geoffrey Noer
noer@cygnus.com
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~1997-09-12 15:56 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
1997-09-10 10:28 Security hole in gnu-win32-gcc Daniel Kroening
1997-09-11 10:00 ` jman
[not found] <009BA1E2.EA079D00.23009@ifk20.mach.uni-karlsruhe.de>
1997-09-11 0:49 ` Mikey
1997-09-11 9:20 ` David Dyck
1997-09-11 10:00 Boatwright, Charles
1997-09-12 15:56 ` Geoffrey Noer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).