Re: Security hole in gnu-win32-gcc

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

* Re: Security hole in gnu-win32-gcc
       [not found] <009BA1E2.EA079D00.23009@ifk20.mach.uni-karlsruhe.de>
@ 1997-09-11  0:49 ` Mikey
  1997-09-11  9:20   ` David Dyck
  0 siblings, 1 reply; 6+ messages in thread
From: Mikey @ 1997-09-11  0:49 UTC (permalink / raw)
  To: dahms, gnu-win32

Happens even on NT if system isn't configured for C2 security.

+10% security -20% speed

Don't you love Bill?

On Thu, 11 Sep 1997 02:28:54 +0200 (METDST), you wrote:

>Hi Daniel, you wrote:
>
>: I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
>: allocated ram is not initialised. The generated binaries thus contain
>
>W95 only. Shouldn't happen under NT, else it wouldn't be C2 certified.
>
>
>Bye, Heribert (dahms@ifk20.mach.uni-karlsruhe.de)
>-
>For help on using this list (especially unsubscribing), send a message to
>"gnu-win32-request@cygnus.com" with one line of text: "help".
>

(jeffdbREMOVETHIS@netzone.com)
delete REMOVETHIS from the above to reply
         Mikey
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Security hole in gnu-win32-gcc
  1997-09-11  0:49 ` Security hole in gnu-win32-gcc Mikey
@ 1997-09-11  9:20   ` David Dyck
  0 siblings, 0 replies; 6+ messages in thread
From: David Dyck @ 1997-09-11  9:20 UTC (permalink / raw)
  To: Mikey; +Cc: dahms, gnu-win32

Quite a while ago I read the documents that described
the test that were done for the higher level security.

It assumed that Networking must have been turned off!
It also assumed that the ability to debug programs was
  also turned off.

Obviously, the didn't plan on C2 developer security :-)

On Thu, 11 Sep 1997, Mikey wrote:

> Happens even on NT if system isn't configured for C2 security.
> 
> +10% security -20% speed
> 
> Don't you love Bill?
> 
> On Thu, 11 Sep 1997 02:28:54 +0200 (METDST), you wrote:
> 
> >Hi Daniel, you wrote:
> >
> >: I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
> >: allocated ram is not initialised. The generated binaries thus contain
> >
> >W95 only. Shouldn't happen under NT, else it wouldn't be C2 certified.
> >
> >
> >Bye, Heribert (dahms@ifk20.mach.uni-karlsruhe.de)
> >-
> >For help on using this list (especially unsubscribing), send a message to
> >"gnu-win32-request@cygnus.com" with one line of text: "help".
> >
> 
> (jeffdbREMOVETHIS@netzone.com)
> delete REMOVETHIS from the above to reply
>          Mikey

-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Security hole in gnu-win32-gcc
  1997-09-11 10:00 Boatwright, Charles
@ 1997-09-12 15:56 ` Geoffrey Noer
  0 siblings, 0 replies; 6+ messages in thread
From: Geoffrey Noer @ 1997-09-12 15:56 UTC (permalink / raw)
  To: Boatwright Charles; +Cc: kroening, gnu-win32

Boatwright, Charles wrote:
[...]
> This is not a ( new ) security hole.  This will always happen on Win95.
> NT is another story.
[...]

I just wanted to give a disclaimer which most of you hopefully assume
anyway: Cygwin32 has not been analyzed for security issues much if it all.
I would be surprised if there weren't some serious holes, although I am
not currently aware of any.

-- 
Geoffrey Noer
noer@cygnus.com
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Security hole in gnu-win32-gcc
  1997-09-10 10:28 Daniel Kroening
@ 1997-09-11 10:00 ` jman
  0 siblings, 0 replies; 6+ messages in thread
From: jman @ 1997-09-11 10:00 UTC (permalink / raw)
  To: Daniel Kroening, gnu-win32

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This was found an discussed a while back you can search the ml 
archive's for exact times, but nothing was ever decisive about it 
other then its there an nothing can be done. I have found reboot the 
win95 system an before ya do anything else as in opening a secure 
document do your compiling then and only then open the secure 
document. 

At 07:40 PM 9/9/97 +0000, Daniel Kroening wrote:
>Hello,
>
>I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
>allocated ram is not initialised. The generated binaries thus 
contain
>parts of the main memory of the machine compiling it. In binaries, 
where
>uninitialied arrays are, I discovered parts of web pages and other 
data
>of the memory. It might sound harmless, but confident documents or 
even
>pgp secret keys might get disclosed.
>
>Daniel Krvning
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNBgjqw6ne3t4b32aEQIXdQCgwNI9qcxbIZO884lQjB3Uq4kSn6gAoNDb
OaldB/O+u6KnWeOAABhnKR2j
=t0eZ
-----END PGP SIGNATURE-----

-------------------------------------------------------
Jason L. Esman aka _Jman  Owner Den Internet Services
System Admin. Network Consulting 
http://www.deninc.com | (down) irc.lx.net irc.deninc.com
Email jman@lx.net or root@lx.net
Finger jman@lx.net for PGP Public Keys... 
-------------------------------------------------------

-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".

^ permalink raw reply	[flat|nested] 6+ messages in thread

* RE: Security hole in gnu-win32-gcc
@ 1997-09-11 10:00 Boatwright, Charles
  1997-09-12 15:56 ` Geoffrey Noer
  0 siblings, 1 reply; 6+ messages in thread
From: Boatwright, Charles @ 1997-09-11 10:00 UTC (permalink / raw)
  To: 'Daniel Kroening'; +Cc: 'gnu-win32@cygnus.com'

Daniel,

Before this causes all sorts of excitement to the list (again).
You can't avoid it without much ado.  Even a reboot on some 
PCs won't clear  all memory, so the OS must supply the implementation.

This is not a ( new ) security hole.  This will always happen on Win95.

NT is another story.

This security costs CPU cycles.  At times it costs alot.  
Memory allocation (GlobalAlloc) is much 
slower, especially  following a swap (I don't know the 
exact reason why .... yet).  Also program loading is slower.

-chuck

> ----------
> From: 	Daniel Kroening[SMTP:kroening@hit.handshake.de]
> Sent: 	Tuesday, September 09, 1997 12:40 PM
> To: 	gnu-win32@cygnus.com
> Subject: 	Security hole in gnu-win32-gcc
> 
> Hello,
> 
> I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
> allocated ram is not initialised. The generated binaries thus contain
> parts of the main memory of the machine compiling it. In binaries,
> where
> uninitialied arrays are, I discovered parts of web pages and other
> data
> of the memory. It might sound harmless, but confident documents or
> even
> pgp secret keys might get disclosed.
> 
> Daniel Krvning
> -
> For help on using this list (especially unsubscribing), send a message
> to
> "gnu-win32-request@cygnus.com" with one line of text: "help".
> 
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Security hole in gnu-win32-gcc
@ 1997-09-10 10:28 Daniel Kroening
  1997-09-11 10:00 ` jman
  0 siblings, 1 reply; 6+ messages in thread
From: Daniel Kroening @ 1997-09-10 10:28 UTC (permalink / raw)
  To: gnu-win32

Hello,

I discovered a security hole in cygnus gnu-win32 gcc: Obviously,
allocated ram is not initialised. The generated binaries thus contain
parts of the main memory of the machine compiling it. In binaries, where
uninitialied arrays are, I discovered parts of web pages and other data
of the memory. It might sound harmless, but confident documents or even
pgp secret keys might get disclosed.

Daniel Krvning
-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~1997-09-12 15:56 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <009BA1E2.EA079D00.23009@ifk20.mach.uni-karlsruhe.de>
1997-09-11  0:49 ` Security hole in gnu-win32-gcc Mikey
1997-09-11  9:20   ` David Dyck
1997-09-11 10:00 Boatwright, Charles
1997-09-12 15:56 ` Geoffrey Noer
  -- strict thread matches above, loose matches on Subject: below --
1997-09-10 10:28 Daniel Kroening
1997-09-11 10:00 ` jman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).