# 01:34:17 |
cpackham |
19 patch series to fix it. |
# 01:34:25 |
cpackham |
eep |
# 01:42:03 |
cpackham |
Although the ARM advisory points to just single patches for the affected versions https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 |
# 03:32:42 |
cpackham |
Nope spoke to soon. The ARM advisory points to the tip of a branch that has the patches |
# 05:15:33 |
cpackham |
https://github.com/crosstool-ng/crosstool-ng/pull/2033 |
# 05:21:06 |
cpackham |
quits : Ping timeout: 252 seconds |
# 07:29:27 |
milkylainen |
eep indeed. |
# 07:40:55 |
milkylainen |
Surprised something like that has gone undetected for that long. |
# 09:45:18 |
roolebo |
quits : Server closed connection |
# 09:45:27 |
roolebo |
joins #crosstool-ng |
# 20:22:19 |
cpackham |
joins #crosstool-ng |
# 20:25:20 |
cpackham |
It's probably the start of security researchers looking at the toolchain. |
# 20:25:34 |
cpackham |
Same thing happened with spectre/retbleed |
# 20:25:56 |
cpackham |
people assumed the CPUs were infallable |
# 20:26:35 |
cpackham |
Ditto for compilers. They just translate text to object code so how can that go wrong |
# 20:27:24 |
cpackham |
One thing that should be noted is that for this to even be an issue some other vulernabilty has to be exploited first |
# 20:27:40 |
cpackham |
hence the reasonably low CVE score |
# 21:27:34 |
milkylainen |
cpackham: mmm. |
# 21:28:07 |
milkylainen |
But this could also be hiding stuff that people hasn't reported for a lot of weird applications? |
# 21:28:31 |
milkylainen |
Stuff that maybe was better protected with a stack canary that actually did it's job? |
# 21:29:09 |
milkylainen |
Isn't some distros always built with fstack-protect nowdays? |
# 22:01:11 |
cpackham |
Yeah not sure. I mean fstack-protect seems like something everyone should set (although I can say that at $dayjob we don't, I should hassle the secuirty team) |