The Stack Clash vulnerability
Michelle Sullivan
michelle at sorbs.net
Thu Jun 22 01:10:50 UTC 2017
Ed Maste wrote:
> On 20 June 2017 at 16:22, Ed Maste <emaste at freebsd.org> wrote:
>> On 20 June 2017 at 04:13, Vladimir Terziev <vterziev at gvcgroup.com> wrote:
>>> Hi,
>>>
>>> I assume FreeBSD security team is already aware about the Stack Clash vulnerability, that is stated to affect FreeBSD amongst other Unix-like OS.
>> Yes, the security team is aware of this. Improvements in stack
>> handling are in progress (currently in review).
> I would like to provide some additional background on this issue.
> First I'd like to thank Qualys for their detailed and thorough
> investigation, which is contributing directly to improving FreeBSD.
>
> The FreeBSD security team is aware of and is monitoring this issue,
> but is not directly developing in the changes that are in progress.
> The issue under discussion is a limitation in a vulnerability
> mitigation technique. Changes to improve the way FreeBSD manages stack
> growth, and mitigate the issue demonstrated by Qualys'
> proof-of-concept code, are in progress by FreeBSD developers
> knowledgeable in the VM subsystem. These changes are expected to be
> committed to FreeBSD soon, and from there they will be merged to
> stable branches and into updates for supported releases.
One would hope considering the nature and potential threat this would be
one of those fixes back ported to previous -STABLE trees as well.
--
Michelle Sullivan
http://www.mhix.org/
More information about the freebsd-security
mailing list