Date: Mon, 4 Apr 2011 17:45:40 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org, John Bailey <rekkanoryo@...kanoryo.org> Subject: Re: Local memory disclosure (was: libpurple CVE UnRequest) On Mon, 21 Mar 2011 12:02:40 -0400 (EDT) Steven M. Christey wrote: > Disclosure of "local" memory to another user on the same system could > qualify for CVE inclusion, if the memory can contain something > sensitive. The patches fixes the code that was intended to clean up wipe certain buffers that were used to store crypto material before freeing them. As the CC on John was dropped, I guess he did not see your follow-up to clarify his "local". My understanding is that this issue may increase impact of some other memory disclosure issue (encryption key leaked vs. e.g. a random chat message), but requires some other flaw to be an issue. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.