Regression in signal handler.

This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions (for example, malloc() and free()): an unauthenticated remote code execution as root, because it affects sshd’s privileged code, which is not sandboxed and runs with full privileges.

  • @refaloEnglish
    -14 days ago

    I don’t get it… wouldn’t everything < 9.8p1 already include <= 8.5p1? So why is it even necessary to mention?

    • @rushactionEnglish
      44 days ago

      Because this is a regression and this particular issue was introduced in 8.5p1. So it only affects versions newer than that, up until when it was fixed in 9.8p1.

    • @towerfulEnglish
      24 days ago

      For an integer, 4 < x < 6 x has to be 5. It’s the only value that satisfies all sides of the equation.
      You are deriving a set of values for open ssh that satisfies all sides of the equation.

      I think it’s more of a mathematical representation than programming representation (I mean, I don’t know of a language that would accept that syntax).
      Certainly psuedocode would have quick statements like this

      • @refaloEnglish
        24 days ago

        seems to work fine in C and I can find quite a bit of examples of it being used actually

        • @towerfulEnglish
          13 days ago

          Oh, I can’t find any examples. What are you searching for?
          The closest I can find is an old hlsl offhand comment showing the syntax in isolation, but no example.
          https://stackoverflow.com/a/29689866