New things in 10.1 from a security point of view.
Format string exploits got harder, thanks to FORTIFY_SOURCE and glibc 2.4.
glibc now checks if %n (the critical point in format string exploits) appear in writeable memory, and if yes, it will abort. Considers this example:
#include <stdio.h> #include <string.h>extern int f(char *f) { char *buf = malloc(strlen(f)+1);
strcpy(buf, f); printf(buf,"hello world"); } int main(int argc, char **argv) { f("%s\n%n%n%n"); }
Before:
$ gcc -O2 -o xx xx.c $ ./xx hello world Segmentation faultExploit successful.
After:
$ gcc -O2 -o xx xx.c -D_FORTIFY_SOURCE=2 $ ./xx hello world *** %n in writable segment detected *** AbortedExploit only successful in getting a controlled abort(), but no code execution.
This requires code compiled with the -D_FORTIFY_SOURCE=2 define, which all packages with RPM_OPT_FLAGS in SUSE Linux are, which are around 90% - 95%.
(Of course I know that almost all format string exploits have been fixed in the meantime. But there might still be some left.)