From: Xi Ruoyao <xry111@xry111.site>
To: Turritopsis Dohrnii Teo En Ming <teo.en.ming@protonmail.com>,
"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>
Cc: "ceo@teo-en-ming-corp.com" <ceo@teo-en-ming-corp.com>
Subject: Re: New GNU C Library (glibc) security flaw reported on 30 Jan 2024
Date: Wed, 31 Jan 2024 22:23:32 +0800 [thread overview]
Message-ID: <b6e0bf7d3e0376b37861226cb84e7eca190beb78.camel@xry111.site> (raw)
In-Reply-To: <vCs-fh6jYIOa_9Ru0H0tlrhIOOu811b3JBhYJsT4tZsBJWVmBR06ttykt_pmw9clWd8zNsiSIShRyYjpq7muFtpVYBGfMvvhB3Kk8-AfUEE=@protonmail.com>
On Wed, 2024-01-31 at 14:08 +0000, Turritopsis Dohrnii Teo En Ming
wrote:
> Subject: New GNU C Library (glibc) security flaw reported on 30 Jan 2024
>
> Good day from Singapore,
>
> I recently stumbled upon this insightful article and wanted to share it with you.
>
> Article: New Linux glibc flaw lets attackers get root on major distros
> Link: https://www.bleepingcomputer.com/news/security/new-linux-glibc-flaw-lets-attackers-get-root-on-major-distros/
I cannot see why https://www.qualys.com/2024/01/30/qsort.txt is a
**Glibc** security issue. The standard is clear that if you pass a non-
transitive comparator to qsort, you invoke an undefined behavior.
While Glibc can try to make qsort "robust" due to the Hyrum rule, the
real security issue is in the programs calling qsort with bad
comparators. Even if Glibc makes qsort "robust" those programs are
still vulnerable with a different libc. Yes there is some security
issue, but the CVE numbers should be assigned to those broken programs,
not Glibc.
--
Xi Ruoyao <xry111@xry111.site>
School of Aerospace Science and Technology, Xidian University
next prev parent reply other threads:[~2024-01-31 14:23 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-31 14:08 Turritopsis Dohrnii Teo En Ming
2024-01-31 14:23 ` Xi Ruoyao [this message]
2024-01-31 14:55 ` Vincent Lefevre
2024-01-31 15:52 ` Adhemerval Zanella Netto
2024-01-31 16:23 ` Vincent Lefevre
2024-01-31 16:44 ` Siddhesh Poyarekar
2024-01-31 18:47 ` Xi Ruoyao
2024-02-01 0:51 ` Vincent Lefevre
2024-02-01 1:03 ` Vincent Lefevre
2024-02-01 6:41 ` Xi Ruoyao
2024-02-01 9:07 ` Vincent Lefevre
2024-02-01 19:55 ` Paul Eggert
2024-02-01 21:11 ` Siddhesh Poyarekar
2024-02-05 0:58 ` Paul Eggert
2024-02-06 15:00 ` Zack Weinberg
2024-02-06 21:30 ` Paul Eggert
2024-02-06 22:04 ` Xi Ruoyao
2024-02-07 17:07 ` Zack Weinberg
2024-02-07 19:55 ` Alexander Monakov
2024-02-07 20:45 ` Zack Weinberg
2024-02-07 21:53 ` Alexander Monakov
2024-02-07 22:56 ` Paul Eggert
2024-04-06 17:17 ` Paul Eggert
2024-04-08 8:28 ` Florian Weimer
2024-04-22 14:39 ` Zack Weinberg
2024-04-23 18:09 ` Paul Eggert
2024-04-23 18:26 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b6e0bf7d3e0376b37861226cb84e7eca190beb78.camel@xry111.site \
--to=xry111@xry111.site \
--cc=ceo@teo-en-ming-corp.com \
--cc=libc-alpha@sourceware.org \
--cc=teo.en.ming@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).