Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 May 2014 21:09:12 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: A note on DBus and the Hash DOS

On Wed, 07 May 2014 12:30:41 -0600
Kurt Seifried <kseifried@...hat.com> wrote:

> So many years ago some hash dos stuff happened. I checked into a
> variety of programs using embedded copies of various things like
> XML/etc. Also other programs that use hashing for stuff, one of which
> is DBus.
> 
> The bad news: DBus has a vulnerable hash implementation
> 
> The good news: there doesn't appear to be many (any?) ways to inject
> data easily to trigger this vulnerability.

I don't know how others feel about this, but I'd be more careful with
such cases.

Basically this sounds to me like a "we don't know if it is a
vulnerability, but it could be". And there I'd say "in doubt be on the
safe side".

Rate them as "very low impact", don't treat them with any urgency, but
I think such issues should be fixed and should be called
vulnerabilities nevertheless.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ