"Fossies" - the Fresh Open Source Software Archive 
Member "libsafe-2.0-16/ChangeLog" (30 May 2002, 13735 Bytes) of package /linux/misc/old/libsafe-2.0-16.tgz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
1 $Name: release2_0-16 $
2 $Id: ChangeLog,v 1.19 2002/05/30 14:05:41 ttsai Exp $
3
4 Version 2.0-16
5 * Mon May 21 2002 Timothy Tsai <ttsai@avaya.com>
6 - src/intercept.c:
7 - Added interception of strncpy(), strncat(), and *snprintf().
8 - src/util.c:
9 - When a warning is printed, the call stack is now printed with an
10 associated executable or library path where the caller is located.
11 * Thu May 30 2002 Yoann Vandoorselaere <yoann@mandrakesoft.com>
12 - src/util.c (prelude_alert): src/util.c (prelude_alert):
13 - Fix for a last minute libprelude API change.
14 (fill_assessment): fill the IDMEF action member.
15
16 Version 2.0-15
17 * Fri Apr 26 2002 Timothy Tsai <ttsai@avaya.com>
18 - src/util.c:
19 - Added extra "\r\n" in sendmail(). This extra line is needed to
20 separate the header and body of the email message.
21 [Bug reported by Leonardo Pimenta Gonzalez.]
22 - exploits:
23 - Removed the xlock example exploit. This exploit was causing RPM
24 packages to require an installation of X-Windows, which is not
25 actually required by libsafe.
26
27 Version 2.0-14
28 * Fri Apr 12 2002 Timothy Tsai <ttsai@avaya.com>
29 - src/util.c:
30 - In _libsafe_warn(), added checks when printing out the call stack to
31 make sure that no infinite loops result. [Bug reported by Bernd
32 Rothert and Leo.]
33
34 Version 2.0-13
35 * Tue Mar 26 2002 Timothy Tsai <ttsai@avaya.com>
36 - src/Makefile
37 - Included extra code for "make install", which will now prompt the
38 user with "Type y for installing libsafe system wide?[default n]".
39 - src/intercept.c
40 - Used "#ifndef MISSING_WCSNLEN" to conditionally compile the following
41 functions: wcscpy(), wcpcpy(), and wcscat(). These functions may
42 not be available on all systems.
43
44 Version 2.0-12 ***** SIGNIFICANT BUG FIX *****
45 * Mon Mar 18 2002 Timothy Tsai <ttsai@avaya.com>
46 - src/intercept.c:
47 - In vfprintf() and _IO_vfprintf(), added the ' and I characters as
48 valid flags in the format string. [Bug reported by Wojciech
49 Purczynski.]
50 - In vfprintf() and _IO_vfprintf(), changed the way in which "%n"
51 conversion specifiers are found in the format string. Each "%n"
52 conversion is now matched to its corresponding argument, and only
53 that argument is verified not to point to a return address. [Bug
54 reported by Wojciech Purczynski.]
55
56 Version 2.0-11
57 * Thu Feb 28 2002 Yoann Vandoorselaere <yoann@mandrakesoft.com>
58 - src/Makefile:
59 - Improved code in Makefile to automatically detect if Prelude
60 integration code should be included, based on whether the Prelude
61 libraries exist.
62
63 Version 2.0-10
64 * Mon Feb 18 2002 Yoann Vandoorselaere <yoann@mandrakesoft.com>
65 * 2.0-11]
66 - src/util.c (prelude_alert): (fill_assessment): (set_user_infos):
67 - Add support for Prelude notification. Generate a Prelude IDMEF alert
68 message. (See http://www.prelude-ids.org)
69
70 Version 2.0-9
71 * Thu Nov 29 2001 Timothy Tsai <ttsai@avaya.com>
72 - src/intercept.c:
73 - Corrected off-by-one bug in strcat().
74
75 Version 2.0-8
76 * Mon Nov 12 2001 Timothy Tsai <ttsai@avaya.com>
77 - src/intercept.c:
78 - Changed method of detecting format string vulnerabilities (i.e.,
79 "%n"). The previous method saved all return addresses before calling
80 *printf and verified those return addresses after returning from
81 *printf. The new method does a simple scan of the format string for
82 "%n", which if found will trigger a check of all arguments to see if
83 they are pointers to any return addresses. Put wrappers for
84 *sprintf(). Note that *scanf() will still use the previous method of
85 saving and verifying return addresses.
86 - Added support for the LIBSAFE_PROTECT_ROOT option in
87 /etc/libsafe.exclude. If /etc/libsafe.exclude includes
88 LIBSAFE_PROTECT_ROOT, then only processes with an effective UID >=
89 100 will be protected.
90 * Wed Nov 7 2001 Timothy Tsai <ttsai@avaya.com>
91 - src/util.c:
92 - If any function determines that there are no frame pointers on the
93 stack, then _libsafe_exclude is set to 1, which will effectively
94 bypass libsafe checking from that point onward.
95 - In _libsafe_save_ra_fp() and _libsafe_verify_ra_fp(), used pointers
96 instead of [] notation to improve performance.
97
98 Version 2.0-7 ***** SIGNIFICANT CODE CHANGE *****
99 * Mon Oct 8 2001 Timothy Tsai <ttsai@avaya.com>
100 - src/intercept.c
101 - Major change in interception method for *scanf() and *printf()
102 functions so that a true wrapper is used. The vfscanf.c, vfprintf.c,
103 reg-printf.c, and printf-parse.h files are no longer needed. All
104 interception is performed completely in intercept.c. The new method
105 saves all return addresses before calling *scanf() and *printf() and
106 verifies those return addresses after returning from *printf. The
107 *sprintf() wrappers are no longer needed.
108 - Added the _libsafe_exclude variable to allow disabling of libsafe
109 checks under one of two conditions:
110 - If util.c determines that frame pointers do not exist on the
111 stack. This is an optimization to minimize the overhead for
112 programs that are compiled with -fomit-frame-pointer.
113 - If the current program name is listed in /etc/libsafe.exclude.
114 This allows libsafe to be linked system-wide (via ld.so.preload),
115 while disabling libsafe for a small set of incompatible programs.
116 - src/util.c:
117 - Changed find_stack_start(). Instead of following the chain of frame
118 pointers back to the terminating 0x00000000, we determine the start
119 of the stack by assuming that the main thread stack starts at
120 0xbf800000 and extends for 0x00800000 bytes. Other thread stacks
121 occupy approximately 0x0020000 bytes and are allocated at addresses
122 lower than the main thread stack.
123 - Added _libsafe_save_ra_fp(), _libsafe_verify_ra_fp() to support
124 interception of *scanf() functions.
125 - doc/libsafe.8
126 - doc/libsafe.8.html
127 - Updated man page to include mention of support for stpcpy(),
128 wcscpy(), wcpcpy(), and wcscat(), as well as /etc/libsafe.exclude.
129
130 Version 2.0-6
131 * Tue Jul 31 2001 Timothy Tsai <ttsai@avaya.com>
132 - src/intercept.c
133 - Added wrapper functions for stpcpy(), wcscpy(), wcpcpy(), and
134 wcscat().
135 - Corrected off-by-one bug in strcat().
136 - src/vfprintf.c
137 - Miscellaneous changes to make vfprintf.c compile with more systems.
138 - src/vfscanf.c
139 - Miscellaneous changes to make vfscanf.c compile with more systems.
140 * Mon Jul 16 2001 Timothy Tsai <ttsai@avaya.com>
141 - src/util.c
142 - Corrected bug in finding current_stack_start in
143 _libsafe_dump_stack().
144
145 Version 2.0-5
146 * Fri Jul 6 2001 Timothy Tsai <ttsai@avaya.com>
147 - [many files]
148 - Added #ident RCS keywords in source code files.
149 - src/Makefile
150 - Added Makefile target "debug", which will build with the debug flags.
151 - Added version information to the name of the libsafe library.
152 - Turned off echoing of commands during installation of man pages.
153 - src/util.c
154 - In _libsafe_dump_stack(), made sure that current_stack_start can
155 always be found. This is needed to prevent searching past the
156 original stack frame, especially for threads.
157 - src/vfprintf.c
158 - Corrected bug related to locales.
159
160 Version 2.0-4
161 * Tue Jun 19 2001 Timothy Tsai <ttsai@avaya.com>
162 - [many files]
163 - Added RCS keywords to identify versions.
164 - exploits/exploit-non-exec-stack.c
165 - Added some kludges to make sure that no zero-bytes show up in the
166 input string for strcpy(). These kludges have to be manually
167 uncommented to work.
168 - src/util.c
169 - Replace the old method of looping to search for the first stack
170 frame. The new method works for multiple threads, but makes
171 assumptions on the location and sizes of threads.
172 - Added ctime_nonewline() to sendmail() because some the extra newline
173 returned by ctime() caused the mail header to be prematurely ended.
174 - Changed method of terminating processes. Use SIGKILL instead of
175 _exit().
176 * Mon Jun 4 2001 Timothy Tsai <ttsai@avaya.com>
177 - util.c:
178 - Fixed bug in sendmail() caused by ctime() and bare LF's. [Reported
179 by José Luis Domingo López.]
180
181 Version 2.0-3
182 * Wed Apr 25 2001 Timothy Tsai <ttsai@avaya.com>
183 - src/intercept.c
184 - Defined _IO_JUMPS_OFFSET. Some systems need this to compile.
185
186 Version 2.0-2
187 * Tue Apr 24 2001 Timothy Tsai <ttsai@avaya.com>
188 - src/intercept.c
189 - Put back explicit wrapper functions for sprintf() and vsprintf().
190 * Thu Apr 19 2001 Timothy Tsai <ttsai@avaya.com>
191 - doc/whitepaper-2.0/whitepaper-2.0.tex
192 - Removed "DRAFT" label on white paper.
193 * Tue Apr 10 2001 Timothy Tsai <ttsai@avaya.com>
194 - doc/libsafe.8
195 - doc/libsafe.8.html
196 - Updates man page to refer libsafe.so.2 instead of libsafe.so.1
197 - src/vfprintf.c
198 - Added weak alias for __mbrtowc. Some systems need this to compile.
199
200 Version 2.0-1
201 * Fri Mar 23 2001 Timothy Tsai <ttsai@avaya.com>
202 - src/Makefile:
203 - Added code to make sure man page directories exist before copying the
204 man page to those directories.
205
206 ***** SIGNIFICANT CHANGES *****
207 The following includes changes that comprise version 2.0:
208 * Wed Jan 20 2001 Timothy Tsai <ttsai@avaya.com>
209 - vfprintf.c:
210 - Incorporated *printf() code from libc-2.1.3-91.src.rpm. This code
211 fixes a bug for sprintf(), when the same buffer occurs as the
212 destination buffer and a source buffer (e.g., "sprintf(buf, "%s...",
213 buf, ...)).
214 - Introduced code to check for printf format bugs. The code detects
215 - overwriting of return addresses via printf("%n", ...)
216 - printf argument lists that span multiple stack frames
217 * Wed Jan 17 2001 Timothy Tsai <ttsai@avaya.com>
218 - vfscanf.c:
219 - Replaced iovfscanf.c with vfscanf.c from libc-2.1.3-91.src.rpm. This
220 updated version supports more field modifiers and conversions.
221 * Mon Nov 15 2000 Timothy Tsai <ttsai@avaya.com>
222 - util.c:_libsafe_stackVariableP():
223 - Added code to see if the stack contains stack frames with frame
224 pointers. If frame pointers are missing, then
225 _libsafe_stackVariableP() always returns 0, which means that checking
226 for buffer overflows is disabled. This addition is needed to handle
227 code compiled with -fomit-frame-pointer. [-fomit-frame-pointer
228 incompatability reported by Solar Designer, Michael Sweet, and
229 others.]
230 - util.c:_libsafe_die():
231 - Change the mail notification mechanism. Instead of relying on an
232 external mail program, email messages are now sent by directly
233 communicating with the SMTP port. [Security vulnerabilities of email
234 raised by by Solar Designer and others.]
235 - Added code to print the UID and effective UID of the user. Note that
236 this is the user who started the process, who may not necessarily be
237 the attacker. [Suggested by Duane Dunston.]
238 - Added code to print the address of the code that called the unsafe
239 function that was detected by lisafe.
240 - Added code to optionally generate a core dump upon exit. [Suggested
241 by Aaron Hopkins.]
242 - Added debugging code to turn off adding entries to syslog. This is
243 useful during testing when a large number of test violations are
244 detected. The code must be enabled with the -DDEBUG_TURN_OFF_SYSLOG
245 option in the Makefile.
246 - Added dying flag to effectively disable _libsafe_stackVariableP()
247 after _libsafe_die() has been called.
248 - util.c:find_stack_start():
249 - find_stack_start() replaces _libsafe_initialize_start_stack().
250 find_stack_start() works for multi-threaded processes and is less
251 kludgy.
252 - util.c:_libsafe_dump_stack():
253 - Added this function to print out the contents of the stack when a
254 violation is detected. This function is called from _libsafe_die()
255 and must be enabled with the -DDUMP_STACK option in the Makefile.
256 - intercept.c:gets():
257 - Added extra code to make sure that the libsafe gets() treats newlines
258 the same way the libc gets() does. [Suggested by Jutta Degener.]
259 - intercept.c:getwd():
260 - Added code to make sure no more than PATH_MAX characters are
261 returned. [Suggested by Jutta Degener.]
262 - intercept.c:
263 - Made "static memcpy_t real_memcpy" a global variable since four
264 functions access it. This increases the performance very slightly.
265 [Suggested by Paul Boehm.]
266 - iovfscanf.c:
267 - Corrected bug in code that improperly processed format specifiers
268 with explicit field widths for char types. [Bug reported by Bojan
269 Pogacar.]
270 - depend: removed from the package
271
272 * Fri April 21 2000 Arash Baratloo <arash@research.bell-labs.com>
273 - Corrected couple of bugs (in util.c) that kept libsafe from running on RH5.1
274 - Added dependencies to the Makefile
275
276 * Thu Mar 30 2000 Vandoorselaere Yoann <yoann@mandrakesoft.com>
277 * Thu Mar 30 2000 Arash Baratloo <arash@research.bell-labs.com>
278 - Update to 1.3
279 - Rename copying.lib to copying
280 - Use _exit because an sigsegv can be caught.
281
282 * Thu Mar 30 2000 Vandoorselaere Yoann <yoann@mandrakesoft.com>
283 - Removed a dangerous debugging function.
284 - Removed the mail_list file specified by variable feature ( could lead to
285 attack ).
286 - Removed all c++ comment... reindent all code.
287 - Removed dead code.
288 - renamed int script to int.sh.
289 - Removed unused check from _libsafe_stackVariableP() ( stack_start is
290 initialized in intercept.c ).
291
292 * Thu Mar 09 2000 Vandoorselaere Yoann <yoann@mandrakesoft.com>
293 - int : use bash
294 - Makefile : make clean work now :)
295 - intercept.c : don't initialize static function pointer at .text init
296 time.
297 - intercept.c : reindented + c++ to c comment :)
298 - intercept.c : getLibraryFunction -> use const
299 - added intercept.c , will be a c port of intercept.cpp
300 - util.c: added warning, for a problem i'm not sure of
301 - util.c: don't use non portable asm instruction to make the program
302 exit, use a clean portable way to do it...
303 - util.c: never use system cause it can be a security problem.
304 - util.c: Use the first variable stack address as the sp address.
305 - util.c: Use unsigned long cause it is a word long on all architecture.
306 - Imported libsafe source, created module, created changelog.