Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAJ_zFkJFCUiOb+S46jM87qundu4rYO1QhxQ85KJHb_zKVOggzQ@mail.gmail.com>
Date: Tue, 25 Oct 2016 12:13:44 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Cc: ago@...too.org, Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: Re: jasper: memory allocation failure in
 jas_malloc (jas_malloc.c)

On Sat, Oct 22, 2016 at 6:03 PM,  <cve-assign@...re.org> wrote:
>
>> https://blogs.gentoo.org/ago/2016/10/18/jasper-memory-allocation-failure-in-jas_malloc-jas_malloc-c
>>
>> AddressSanitizer failed to allocate 0x1000002000 bytes of LargeMmapAllocator
>>
>> 0x7f4f0474e170 in jas_malloc ... jasper-1.900.5/src/libjasper/base/jas_malloc.c:117:9
>> 0x7f4f04764b4f in bmp_getinfo ... jasper-1.900.5/src/libjasper/bmp/bmp_dec.c:297:25
>
> Use CVE-2016-8886.
>

I'm not sure I understand the concern here. Isn't it usually expected
that the administrator configures appropriate ulimits, and the code
should just handle allocation failure gracefully?

If we are considering *not* implementing arbitrary hardcoded limits a
security problem, that seems like a significant change in software
design philosophy (I've heard it called the zero-one-infinity rule
before).

Tavis.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.