Date: Wed, 7 Sep 2022 08:36:17 +0300 From: Georgi Guninski <gguninski@...il.com> To: oss-security@...ts.openwall.com Subject: Re: sagemath denial of service with abort() in gmp: overflow in mpz type On Wed, Sep 7, 2022 at 4:32 AM Seth Arnold <seth.arnold@...onical.com> wrote: > > Could an application that handles secrets and uses GMP use prctl(2)'s > PR_SET_DUMPABLE command to prevent dumping the core file? It'd also > prevent using ptrace-based debugging, so it's not without costs, but if > it handles secrets, that's probably also a good idea. > on ubuntu 20 a lot of stuff depends on libgmp: $ apt-cache rdepends libgmp10 | wc -l 2442 $ apt-cache rdepends libgmp10 | grep -i crypt | wc -l 28 some examples: gcc-9 gawk g++-9 dnsmasq-base cpp-9-s390x-linux-gnu will the infidels who argue that crash in python is nothing still will claim that gmp crash in any of the 2442 packages is still nothing?
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.