On Sat, Dec 14, 2019 at 10:49:31AM +0100, Frank Beuth wrote: > On Wed, Dec 11, 2019 at 01:51:18PM -0500, T.J. Townsend wrote: > > Errata patches for ld.so have been released for OpenBSD 6.5 and 6.6. > > > > ld.so may fail to remove the LD_LIBRARY_PATH environment variable for > > set-user-ID and set-group-ID executables in low memory conditions. > > The security advisory connected with this bug indicates the patch was > published within 3 hours of reporting: > https://www.openwall.com/lists/oss-security/2019/12/11/9 > > OpenBSD doesn't have unit tests (or if they are, they're not in the main > source tree). How does the project ensure that such wonderfully quick > fixes don't introduce new bugs? >
We do have tests in src/regress. But remember: tests do not prove you code is correct. We look at code, that is a very important skill. The fix in this case isn't very complicated and can easily be verified. You can do that too! http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec/ld.so/loader.c.diff?r1=1.188&r2=1.189&sortby=date&f=h -Otto