New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@gsrdgrdghd - the point is that you simply should avoid compiling it with SSE
@yomero - if you compile from sources using heavy optimization (such as SSE etc.) then it will be vulnerable
Yeah i was just pointing out that it is by no means the gcc devs fault, the MySQL devs are completly responsible for this.
@gsrdgrdghd - no, MySQL devs are not responsible. Official vendors provides binary versions which are not vulnerable. If you decide to compile you own version you are responsible.
Then explain me why they are not responsible. They made the mistake in their code to rely on that memcmp only returns a value between -127 and 128.
Edit: To clarify:
The MySQL code only works correct when memcmp returns a value between -127 and 128. The C/C++ specification clearly states that
Nowhere does it say that the return value is between -127 and 128. Therefor MySQL is completly responsible for this.
@gsrdgrdghd - if you compile source code as you should, without any additional optimization, it works as it should and it's not vulnerable. I wrote previously what is the difference with SSE and non-SSE behavior. In source code they are using only the result of memcmp but the SSE magic runs inside it and is almost invisible to source code.
By the way are you a software developer?
Edit: of course you can use precompiler flags and checks but since they wrote really cross platform app it's hard to do.
Who says i should ocmpile source code without optimization?
Yes you wrote that the non-SSE version compares one byte each, and the SSE version compares 4 byte at once. That is not a problem as long as memcmp still abides the specification.
Logically the only way this could be the gcc devs fault is if memcmp returned 0 although the values it compares are different. Can we agree on this?
I am an informatics student.
The memcmp works correctly and source code is also correct
Use documentation - they have whole set of predefined flags to optimize MySQL
Which specialization?
Yes, and are those the most commonly-used binaries? No, of course not – most people are going to use what's found in their package manager, which will have been compiled by the package management team for the distribution. Saying “Well, our versions are OK” is just CYA bullshit when they know full-well that the majority of people using those builds aren't using them on servers.
Can you link me on that?
Exactly what i've been saying. Its MySQLs fault for just converting that int to a char and therefor cutting off part of it.
We don't have any specialization here, just generic 'Informatics'.
@MrDOS - I partially agree with you but this is common problem with open source software. If you need a support and some bug fix guarantee even for open source you should use official binaries (personally I'm using Percona's repos and builds on all Linux servers). There is a difference between using open source for hobby or learning and using it for business. Users should be educated somehow but instead it's all copy and paste from different blogs, tuts found on Internet.
http://dev.mysql.com/doc/refman/5.1/en/source-installation.html
Weird
Thanks
Why? Well most of what i do is algorithm designs, complexity theory, numerical theory and cryptography. Coding is only ~10% of my time.
@gsrdgrdghd - on my university we had to choose specialization somewhere in the middle of the second year of studies.
Around here, that's computer science – “informatics” is the marketspeak evil twin of IT that people who can't cut it in CompSci take when they still want a university-level technology degree.
Well here (Germany) we don't have anything called CompSci. If you study IT you just study Informatik (i don't know weather CompSci or Informatics is the correct translation). (here is a shitty google translation of the curriculum)
Hehe its kinda the same here (50%+ dropout rate)
True true, my mistake
The software publisher has zero control over which libc you use.