This article is a followup to our last year’s advisory on canary randomisation for applications of the Debian distribution.
|Affected Products:||All SSP-armoured applications, statically or dynamically linked against the libc6 library (versions ≤ 2.7) provided by the Debian GNU/Linux project.|
|Class:||Degraded performance of security mechanism due to misconfiguration.|
|Discovered by:||Dimitris Glynos|
We have found that Debian packages of the GNU libc library (versions prior to and including 2.7)
provide a static (i.e. guessable) canary value to all applications armoured with the gcc SSP