Date: Wed, 26 Oct 2016 10:08:56 +0200 From: Agostino Sarubbo <ago@...too.org> To: Tavis Ormandy <taviso@...gle.com> Cc: oss-security@...ts.openwall.com, Assign a CVE Identifier <cve-assign@...re.org> Subject: Re: Re: jasper: memory allocation failure in jas_malloc (jas_malloc.c) On Tuesday 25 October 2016 12:13:44 Tavis Ormandy wrote: > I'm not sure I understand the concern here. Isn't it usually expected > that the administrator configures appropriate ulimits, and the code > should just handle allocation failure gracefully? > > If we are considering *not* implementing arbitrary hardcoded limits a > security problem, that seems like a significant change in software > design philosophy (I've heard it called the zero-one-infinity rule > before). > > Tavis. Tavis, more or less I agree with you, but since time ago I saw that similar bugs reveiced a CVE, I thought that these type of bugs could interest the community and them I'm sharing them. If I'm not mistaken, CWE-789 covers these type of bugs. -- Agostino
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.