[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Apr 2011 17:45:40 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org, John Bailey <rekkanoryo@...kanoryo.org>
Subject: Re: Local memory disclosure (was: libpurple CVE
UnRequest)
On Mon, 21 Mar 2011 12:02:40 -0400 (EDT) Steven M. Christey wrote:
> Disclosure of "local" memory to another user on the same system could
> qualify for CVE inclusion, if the memory can contain something
> sensitive.
The patches fixes the code that was intended to clean up wipe certain
buffers that were used to store crypto material before freeing them.
As the CC on John was dropped, I guess he did not see your follow-up to
clarify his "local".
My understanding is that this issue may increase impact of some other
memory disclosure issue (encryption key leaked vs. e.g. a random chat
message), but requires some other flaw to be an issue.
--
Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
