On 2023/02/27 17:17, Theo de Raadt wrote:
> Stuart Henderson <stu@spacehopper.org> wrote:
>
> > This port is broken; doesn't work with our Perl version. 4.79 needs
Testing on 7.2 it seems this worked before the recent Perl update.
> > a patch to avoid segfaults because we don't have fexecve() and with
> > that fixed still doesn't work (same errors as 4.75).
>
> I've looked into fexecve() numerous times and I just cannot for the life
> of me see how to avoid it becoming a component of attack methodology.
>
> The people who invented must be completely unaware of the dangerous
> tooling this brings to the table.
>
> OpenBSD will never have it.
Surely they must be aware... In particular in an OS with memfd_create
it seems particularly potent.
As far as this port (p5-IO-AIO) goes, it provides async wrappers for a
whole bunch of functions/syscalls. In terms of this, fexecve is just one
of dozens it's wrapping, they just didn't check that the function is
really available, just assume based on _POSIX_VERSION.
No comments:
Post a Comment