Am 21.11.2010 13:16, schrieb Guido Berhoerster:
* Sebastian Siebert
[2010-11-21 12:31]: Am 21.11.2010 11:35, schrieb Guido Berhoerster:
* Sebastian Siebert
[2010-11-21 11:02]: [...] Is there any other solution other than the sledgehammer?
Yes, check out the source code at the specified locations whether there is a potential buffer overflow, the GCC compile time buffer checks are activated for a reason.
Hm, the upstream thinks that is a problem of gcc: http://www.mail-archive.com/vim_dev@googlegroups.com/msg04786.html
vim seems to use some clever optimizations for memory management which break with -D_FORTIFY_SOURCE=2 so in this case it seems justified to replace it with -D_FORTIFY_SOURCE=1 as recommended by upstream.
With respect to security. Is the option "-D_FORTIFY_SOURCE=1" a break in the security over the whole program runtime? I still have my doubts. I would be glad if someone can look into the source code. File: vim73/src/eval.c Lines around 21795 - 21831 A possible security break in the line with CFLAGS "-D_FORTIFY_SOURCE=2": 21802: STRCPY(name, "self"); 21823: STRCPY(name, "000"); Thank you, -- Kind regards, Sebastian - openSUSE Member (Freespacer) Website/Blog: http://www.sebastian-siebert.de Important notes on openSUSE Mailing List: http://en.opensuse.org/OpenSUSE_mailing_list_netiquette -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging+help@opensuse.org