New things in 10.1 from a security point of view.
Format string exploits got harder, thanks to FORTIFY_SOURCE
and glibc 2.4.
glibc now checks if %n (the critical point in format string exploits) appear in writeable memory, and if yes, it will abort. Considers this example:
#include <stdio.h>
#include <string.h>
extern int f(char *f) {
char *buf = malloc(strlen(f)+1);
strcpy(buf, f);
printf(buf,"hello world");
}
int main(int argc, char **argv) {
f("%s\n%n%n%n");
}
Before:
$ gcc -O2 -o xx xx.c
$ ./xx
hello world
Segmentation fault
Exploit successful.
After:
$ gcc -O2 -o xx xx.c -D_FORTIFY_SOURCE=2
$ ./xx
hello world
*** %n in writable segment detected ***
Aborted
Exploit only successful in getting a controlled abort(), but no code execution.
This requires code compiled with the -D_FORTIFY_SOURCE=2
define, which all packages with RPM_OPT_FLAGS in SUSE Linux
are, which are around 90% - 95%.
(Of course I know that almost all format string exploits have been fixed in the meantime. But there might still be some left.)