develooper Front page | perl.perl5.porters | Postings from December 2012

Re: [perl #115990] 3 new severe ptr errors in 5.14.3 (non-threadedasan)

Thread Previous | Thread Next
From:
Dave Mitchell
Date:
December 14, 2012 14:30
Subject:
Re: [perl #115990] 3 new severe ptr errors in 5.14.3 (non-threadedasan)
Message ID:
20121214143017.GJ1842@iabyn.com
On Thu, Dec 13, 2012 at 03:11:39PM -0600, Reini Urban wrote:
> Thanks, same here.
> I came to the believe that this is a false-positive, which was
> caused by adding the new use-after-return (UAR) detection feature.
> 
> The disassembly at this location shows some code to check for
> use-after-return here, which looks like a compiler bug to me.
> 
> http://code.google.com/p/address-sanitizer/issues/detail?id=127#c6
> 
> Unfortunately we have no way yet to tell the compiler not to
> instrument this function with the new use-after-return.

Ok, so the final tally for the three new 5.14.3 critical security bugs
appears to be:

* two existed prior to 5.14.3, so weren't new; and neither are security
  issues;

* one was an asan false positive.

In the light of this, could you please withdraw your recommendation for people
to stick with 5.14.2, since 5.14.3 contains a fix for a real, verified
(if somewhat unlikely) arbitrary code execution flaw?

-- 
A power surge on the Bridge is rapidly and correctly diagnosed as a faulty
capacitor by the highly-trained and competent engineering staff.
    -- Things That Never Happen in "Star Trek" #9

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About