Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 4 Apr 2011 17:45:40 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org, John Bailey <rekkanoryo@...kanoryo.org>
Subject: Re: Local memory disclosure (was: libpurple CVE
 UnRequest)

On Mon, 21 Mar 2011 12:02:40 -0400 (EDT) Steven M. Christey wrote:

> Disclosure of "local" memory to another user on the same system could 
> qualify for CVE inclusion, if the memory can contain something
> sensitive.

The patches fixes the code that was intended to clean up wipe certain
buffers that were used to store crypto material before freeing them.
As the CC on John was dropped, I guess he did not see your follow-up to
clarify his "local".

My understanding is that this issue may increase impact of some other
memory disclosure issue (encryption key leaked vs. e.g. a random chat
message), but requires some other flaw to be an issue.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.