mingw-w64 produces non-ASLR-compatible EXE files VU#307144 - alpine
——BEGIN PGP SIGNED MESSAGE——
Hash: SHA256
Hello Folks,
It’s been known for about 5 years or so that mingw-w64 produces EXE
files that are not compatible with ASLR on Windows.
https://sourceforge.net/p/mingw-w64/mailman/message/31034877/
https://sourceware.org/bugzilla/show\_bug.cgi?id=17321
https://sourceware.org/bugzilla/show\_bug.cgi?id=19011
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836365
We have a blog post draft crafted to explain why this is a problem:
https://drive.google.com/file/d/1mhEWOWcFAZ-ABMeD2im-UoD-hJxrtUa\_/view
TL;DR: The VLC developers produced an executable that was vulnerable
to a reliable RCE exploit because of it. Other developers are also
affected.
Given that there are already tickets for this issue, this isn’t a
particularly sensitive issue. However, maybe one of you can help it
get the traction that it needs. Our estimated timeframe for
publication is next week (July 30 - August 3).
Thank you,
Will Dormann
Vulnerability Analyst
CERT Coordination Center
4500 Fifth Ave.
Pittsburgh, PA 15213
1-412-268-7090
=——BEGIN PGP SIGNATURE——
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJbWhsXAAoJEOPd3Dh7UC7PV9AP/Rym9Lw42QemFoh6tss4ELky
Rbaf1aTdstKHIXaVi+GeAWMsyKPtiE5uY6JlH5DFn9p4mFqlTSItQdzu2WpqElfc
Bn/tjKQJ6281N32N4ykZcNQkXvk9LC5jrygpsaLhVBr4kJIvWn2FyYz479Wu3u/U
V8Xx8H7OyOz05wxiAQuRJzzcCrmeJCrsgC9eeOc/kn0QHri1/HRwpmjIg/lEQ00t
3v3Oe6dIkvVhu6l5LjlTQyjEPvapGqG7MaHlABl5BqgcV5GoLuyzzfjg7Ci7UIs4
DZq0n2YfsDihlPedo90MX5iLRRxXkb3yz9vC4T0VqAjaR6cpHRG1v7YRoRzLuHuL
ezjzsTp4d5+aGNAH6NeeUXuMiRa5U5uCyx6RUVb/I/xtOFtuzBNQhPtUrDGrLSIp
6KW17n3NB1fakAxkuCXHJWjcPuuxp5aGh+3KmxfK3NaSvForKdzmVupnFxedyuMS
6nHlXnYJS5KhDDfDGiBopKNxehu17ZQVi6Bfnf30E1MkXT0yTjLZVw9SGT+JKKrx
8qOKU0tiNBpEf3yKnluJg6fkrx+/+7h96ppXOxvwNTVILzoY+wBiiY/mLbNllhBa
xxoSlzFzLMcw2XP9xOOClHMq4hnteWoKAQx5mVYNDqO0duZuvPIjZpegvDltxz3F
3Cl/Z8Br3n9HFzGISH2i
=2tGB
——END PGP SIGNATURE——
(from redmine: issue id 9138, created on 2018-07-26)