Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 May 2014 21:09:12 +0200
From: Hanno Böck <>
Subject: Re: A note on DBus and the Hash DOS

On Wed, 07 May 2014 12:30:41 -0600
Kurt Seifried <> wrote:

> So many years ago some hash dos stuff happened. I checked into a
> variety of programs using embedded copies of various things like
> XML/etc. Also other programs that use hashing for stuff, one of which
> is DBus.
> The bad news: DBus has a vulnerable hash implementation
> The good news: there doesn't appear to be many (any?) ways to inject
> data easily to trigger this vulnerability.

I don't know how others feel about this, but I'd be more careful with
such cases.

Basically this sounds to me like a "we don't know if it is a
vulnerability, but it could be". And there I'd say "in doubt be on the
safe side".

Rate them as "very low impact", don't treat them with any urgency, but
I think such issues should be fixed and should be called
vulnerabilities nevertheless.

Hanno Böck


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ