Review Rules and staticly linked packages agains dietlibc
Miloslav Trmac
mitr at volny.cz
Fri Feb 24 13:38:02 UTC 2006
Hello,
Enrico Scholz napsal(a):
> 'malloc' and 'free' are the only higher level functions, all other
> functions are simple syscall wrappers and ARE implemented unexploitable
> (the related code are perhaps 20 assembly lines). It is right that the
> dietlibc 'malloc(3)' implementation suffered the known integer overflow
> some time ago. But in the meantime, the related 162 lines of code in
> dietlibc have been reviewed several times so it can be assumed as
> error-free.
Even assuming that it is correct in the current version, there is no
reason to assume there won't be introducted any new bugs. Will you be
reviewing every new release of dietlibc to verify that there were no
bugs in malloc introduced or fixed?
If ipsvd dynamically links to glibc, the ipsvd maintainer doesn't have
to watch for dietlibc changes; the presence, absence, appearance or
fixing of libc bugs is determined purely by the version of glibc
installed and not by the version of dietlibc in the repository when
ipsvd was rebuilt for some random reason.
Mirek
More information about the fedora-extras-list
mailing list