Date: Wed, 7 May 2014 21:09:12 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: A note on DBus and the Hash DOS On Wed, 07 May 2014 12:30:41 -0600 Kurt Seifried <kseifried@...hat.com> wrote: > So many years ago some hash dos stuff happened. I checked into a > variety of programs using embedded copies of various things like > XML/etc. Also other programs that use hashing for stuff, one of which > is DBus. > > The bad news: DBus has a vulnerable hash implementation > > The good news: there doesn't appear to be many (any?) ways to inject > data easily to trigger this vulnerability. I don't know how others feel about this, but I'd be more careful with such cases. Basically this sounds to me like a "we don't know if it is a vulnerability, but it could be". And there I'd say "in doubt be on the safe side". Rate them as "very low impact", don't treat them with any urgency, but I think such issues should be fixed and should be called vulnerabilities nevertheless. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ