Re: Pentium DEATH in user-mode
Richard Jones (richard@a42.deep-thought.org)
Mon, 10 Nov 1997 10:22:53 +1100
Oliver Xymoron <oxymoron@waste.org> wrote:
> On Sat, 8 Nov 1997, Richard B. Johnson wrote:
>
> > If your pentium is used as a file-server or something in which a
> > user doesn't log in, you will have no problem. Just rename the gcc
> > compiler so someone can't write code on your system.
>
> Note that this bug means ANY buffer overflow bug, even on non-setuid apps,
> is now an entry point for an attacker to crash your machine. Got users on
> your system who wrote their own CGI apps in C?
Personally I would prefer the system goes down than have a remote user
give themselves a shell on my system. IMO if you have remotely exploitable
buffer overflows then DoS is the least of your problems, but then I guess it
depends on which direction your tolerances lie.
> Ouch. Let's make that
> non-executable stack patch part of the mainstream kernel.
>
Yup.
Richard Jones.