lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <gemini.kkdidn0a2ywy8031t.taviso@sdf.lonestar.org>
Date: Thu, 28 May 2009 23:29:53 +0200
From: Tavis Ormandy <taviso@....lonestar.org>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: [TZO-27-2009] Firefox Denial of Service
	(Keygen)

Thierry Zoller <Thierry@...ler.lu> wrote:
> > A memory leak in an interactive program that requires you to view a
> > hostile page for 9hours is clearly of negligible security impact.
> Ok I will take the strawman :

Your random application of meaning to terminology is at least entertaining.

> Only a few bytes of "k" leads to the compromises of the private key.
> (DSA).  Does  this  matter,  not  really.  It's your key anyways. Does
> something  "leak" to somewhere were it's not supposed to be, no. Memory is
> just not correctly freed.

Ah-ha, I see you have consulted some documentation and the correct meaning
of the term is now becoming clear to you.

> 
> Yep,   I  am  an  ignorant  idiot,  can  we
> move on now ? If *you* can't imagine a setup or extreme border case where
> (as example) entropy that is being collected is indirectly affected, be it
> in quality of entropy or size, then clearly *I*  must  be  the idiot that
> doesn't understand the concept of memory allocations.

I am aware of your attempt at sarcasm, and yet this sentence is completely
accurate. I cannot imagine any situation where this is the case, because the
two concepts are orthogonal.

> General comment: I am  interesting  to  see  the  kind  of feedback I get
> when  posting an Firefox bug as opposed to bugs of other vendors. It's
> almost like you hit a little boy and everybody steps into for his defence.

Your complaint that mozilla developers need to drop what they're doing and
investigate your trivial issues was too much to bare.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ