Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <80402134-edf5-1d75-43b0-cfa5f0f6747b@cpanel.net>
Date: Fri, 17 Nov 2017 15:32:28 -0600
From: John Lightsey <jd@...nel.net>
To: oss-security@...ts.openwall.com
Subject: Re: phusion passenger CVE-2017-1000384

On 11/17/17 3:19 PM, Jakub Wilk wrote:
> * John Lightsey <jd@...nel.net>, 2017-11-17, 14:58:
>> https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
>>
> 
> This adds:
> 
>   #ifdef false
>   ...
>   #endif
> 
> But false _is_ a defined macro in this file, so this doesn't disable the
> code inside. I guess they meant to write:
> 
>   #if false
>   ...
>   #endif
> 

True enough. The removal of the call to inferApplicationInfo() is the
key part of the change.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3982 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.