Date: Wed, 7 Sep 2022 01:30:17 +0000 From: Seth Arnold <seth.arnold@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: sagemath denial of service with abort() in gmp: overflow in mpz type On Tue, Sep 06, 2022 at 08:45:28AM -0400, Jeffrey Walton wrote: > One of the problems with GMP is, it will crash instead of returning > failure. The problem becomes more acute if the program using GMP is > handling sensitive information, like a private key or passphrase. The > sensitive material can be written to a dump file and can be sent to an > error reporting service. Could an application that handles secrets and uses GMP use prctl(2)'s PR_SET_DUMPABLE command to prevent dumping the core file? It'd also prevent using ptrace-based debugging, so it's not without costs, but if it handles secrets, that's probably also a good idea. Thanks Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.