lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimhpVnyR-=aY9h8XAwdQQRqeobZG7KA1FaTv5qb@mail.gmail.com>
Date: Wed, 9 Feb 2011 21:31:52 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk, literalka@...a.eu
Subject: Re: {Java,PHP} Server Exploits

You've misread my statement, I didn't say floating point is trivial.
I actually said  securing a base data type is trivial.

I'd give you credit if this was a complex issue in, say, deserializing some
complex type, but not float.

How many simple types does PHP have? Integer, float, string and boolean.
Keep in mind that when we talk about floating point in PHP, we're talking
about The Float (64bit || 32bit), not tens of different floating types
ranging from 8 bits to 1024...

Cheers,
Chris.




On Wed, Feb 9, 2011 at 9:13 PM, <Valdis.Kletnieks@...edu> wrote:

> On Wed, 09 Feb 2011 20:54:41 +0100, Christian Sciberras said:
>
> >     $f=floatval("2.2250738585072011e-308");
> >     echo 'Try 2 => '.$f.'</br>';
>
> > Plus, I'm a bit amazed such a bug exists in PHP - since converting to
> > floating point is a trivial operation, it should have been limited and
> > safe-guarded from the start.
>
> Take a careful gander at that number, then go look at the floating point
> spec -
> it's a specific corner case that isn't obviously trivial to get right
> (doing
> floating point *right* is a lot harder than it looks - take a class on
> numerical methods sometime, you spend 75% of your time dealing with
> rounding
> errors in the last bit).
>
> Having said that, anybody writing floating point support for a package
> should
> probably google 'floating point paranoia' and learn what sort of things to
> test
> for. :)
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ