[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (no subject)



> 
> Lucent's Bell Labs releases free Linux software that foils the most common
> computer security attack
> FOR RELEASE THURSDAY APRIL 20, 2000
> 
> MURRAY HILL, N.J. -- Lucent Technologies' (NYSE: LU) Bell Labs announced
> ...

Don't hold your breath; Contrary to kernel-based solutions (mainly
Solar's Linux Kernel Patch from Openwall Project -
http://www.openwall.com/linux/ ), this one deals only with some
specific functions (e.g. strcpy) so it is not a general solution
against buffer-overflows.

Before you argue, let me say that by writing "general" I didn't mean
that the kernel-based solutions *solve* the problem; You still can
garbage the stack, but you can't execute it, so in the worst case,
the victim process will fail, but no *real* damage will be caused to
the system. What I meant was that it doesn't protect only specific
functions, but ANY function.

Linus and Alan Cox claim that preventing the stack from being
executed is not a real solution but only a workaround, so they don't
agree to insert it into the standard kernel. This is also why most of
the distributions (I think except for Mandrake in its highest
security level and Definite-Linux, as well as some security-focused
distros) don't include the kernel-based solutions, but plan to
include Lucent's solution.

-- 
Eli Marmor

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il