On Sat, Dec 14, 2019 at 10:49:31AM +0100, Frank Beuth wrote:

> On Wed, Dec 11, 2019 at 01:51:18PM -0500, T.J. Townsend wrote:
> > Errata patches for ld.so have been released for OpenBSD 6.5 and 6.6.
> > 
> > ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
> > set-user-ID and set-group-ID executables in low memory conditions.
> 
> The security advisory connected with this bug indicates the patch was
> published within 3 hours of reporting: 
> https://www.openwall.com/lists/oss-security/2019/12/11/9
> 
> OpenBSD doesn't have unit tests (or if they are, they're not in the main
> source tree). How does the project ensure that such wonderfully quick
> fixes don't introduce new bugs?
> 

We do have tests in src/regress.  But remember: tests do not prove you
code is correct.

We look at code, that is a very important skill. The fix in this case
isn't very complicated and can easily be verified. You can do that
too!

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/libexec/ld.so/loader.c.diff?r1=1.188&r2=1.189&sortby=date&f=h

        -Otto


Reply via email to