ndt-users list created

[Aris Adamantiadis <>]

Tom Throckmorton a écrit :

>> You could try re-compiling w/ more permissive flags - I will try this 
>> version
>> myself and see how it builds/runs.
> 

Sorry, That's the worst security advice I have ever heard about how to
resolve a buffer overflow problem. Disabling a security feature can in
fact make the problem worse.

The procedure is the following:
1-understand what's happening and how the buffer overflow happened.
This includes finding a reliable way to reproduce it into valgrind.
2-Find the problematic code and understand why there was a buffer
overflow. Maybe it's a compilation issue (A and B compiled with
different values for x) or a coding error.
3-Understand the scope of the problem (local DoS, remote DoS, remote
arbitrary code execution !)
4-Patch it, release an advisory if it's serious, along with ways to
mitigate the problem if you can't upgrade (fstack-protector is a good
mitigation technique, hence why disabling it is a bad idea).
5-hope everybody will upgrade.

While I understand it's not everyone's responsibility to do 1-5, I
think we can help to 1-3.

Then, My question would be : are you able to reproduce the problem at
each time ? could you compile web100srv with debugging support
(CFLAGS=-g) without altering anything, and then reproduce the problem
again ? Getting a stacktrace is an excellent way of understanding what
happened.

Thanks and sorry if I was a little rude.

Aris