lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <gemini.kkdgmy09y05rk031t.taviso@sdf.lonestar.org>
Date: Thu, 28 May 2009 22:52:15 +0200
From: Tavis Ormandy <taviso@....lonestar.org>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: [TZO-27-2009] Firefox Denial of Service
	(Keygen)

Thierry Zoller <Thierry@...ler.lu> wrote:

> Hi Tavis,
> 
> The  bug title says Denial of service, not information leak, or crypto
> leak or whatever.

I'm confused what it is you're replying to, I was clearly pointing out your
misunderstanding of the term "memory leak" in the "impact" section of your
post lead you to vastly over estimate the potential impact of your bug.

> That's it, one might want to write a paper how,  by  indirect means
> memory  leaks  can  wreak  havoc, that's an exercise I happily leave  to
> the  reader. The point was that you better  analyse  them  instead  of
> having them sit there a few months. period, nothing more nothing less.
> 

A memory leak in an interactive program that requires you to view a hostile
page for 9hours is clearly of negligible security impact. The reason you are
having trouble comprehending why the mozilla developers have evidently
triaged this issue as low priority is that they are aware that "memory leak"
!= "information leak". 

I'm sure that if you were to familiarise yourself with the some of the
rudimentary concepts involved in dynamic memory allocation you will
understand their decision.

Rest assured, there is zero possibility that a memory leak can result in
"reduced entropy, weak key material etc" as you mentioned in email.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ