| # 01:34:17 | cpackham | 19 patch series to fix it. |
| # 01:34:25 | cpackham | eep |
| # 01:42:03 | cpackham | Although the ARM advisory points to just single patches for the affected versions https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 |
| # 03:32:42 | cpackham | Nope spoke to soon. The ARM advisory points to the tip of a branch that has the patches |
| # 05:15:33 | cpackham | https://github.com/crosstool-ng/crosstool-ng/pull/2033 |
| # 05:21:06 | cpackham | quits : Ping timeout: 252 seconds |
| # 07:29:27 | milkylainen | eep indeed. |
| # 07:40:55 | milkylainen | Surprised something like that has gone undetected for that long. |
| # 09:45:18 | roolebo | quits : Server closed connection |
| # 09:45:27 | roolebo | joins #crosstool-ng |
| # 20:22:19 | cpackham | joins #crosstool-ng |
| # 20:25:20 | cpackham | It's probably the start of security researchers looking at the toolchain. |
| # 20:25:34 | cpackham | Same thing happened with spectre/retbleed |
| # 20:25:56 | cpackham | people assumed the CPUs were infallable |
| # 20:26:35 | cpackham | Ditto for compilers. They just translate text to object code so how can that go wrong |
| # 20:27:24 | cpackham | One thing that should be noted is that for this to even be an issue some other vulernabilty has to be exploited first |
| # 20:27:40 | cpackham | hence the reasonably low CVE score |
| # 21:27:34 | milkylainen | cpackham: mmm. |
| # 21:28:07 | milkylainen | But this could also be hiding stuff that people hasn't reported for a lot of weird applications? |
| # 21:28:31 | milkylainen | Stuff that maybe was better protected with a stack canary that actually did it's job? |
| # 21:29:09 | milkylainen | Isn't some distros always built with fstack-protect nowdays? |
| # 22:01:11 | cpackham | Yeah not sure. I mean fstack-protect seems like something everyone should set (although I can say that at $dayjob we don't, I should hassle the secuirty team) |