Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Apr 2011 17:45:40 +0200
From: Tomas Hoger <>
Cc:, John Bailey <>
Subject: Re: Local memory disclosure (was: libpurple CVE

On Mon, 21 Mar 2011 12:02:40 -0400 (EDT) Steven M. Christey wrote:

> Disclosure of "local" memory to another user on the same system could 
> qualify for CVE inclusion, if the memory can contain something
> sensitive.

The patches fixes the code that was intended to clean up wipe certain
buffers that were used to store crypto material before freeing them.
As the CC on John was dropped, I guess he did not see your follow-up to
clarify his "local".

My understanding is that this issue may increase impact of some other
memory disclosure issue (encryption key leaked vs. e.g. a random chat
message), but requires some other flaw to be an issue.

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.