Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4157335.rtgyRqVO9G@tjmaciei-mobl1>
Date: Sat, 14 Jan 2017 09:39:24 -0800
From: Thiago Macieira <thiago@...ieira.org>
To: Solar Designer <solar@...nwall.com>
Cc: security@...project.org, oss-security@...ts.openwall.com
Subject: Re: [Security] Qt QXmlSimpleReader

On sábado, 14 de janeiro de 2017 17:42:11 PST Solar Designer wrote:
> > No, there's no such limitation, but many classes will impose 2 GB limits
> > due to array sizes. The only problem is that getting close to that limit
> > will already run into code we don't usually test. There are also some
> > problems with UB on signed overflow on Qt 4.8 and in early Qt 5 versions
> > (I think I fixed it in 5.4 or 5.5).
> 
> In general, are applications using Qt supposed to sanity-check the sizes
> to be significantly below 2 GiB before passing such data on to Qt?

Normal applications are supposed to be designed to use the Qt containers with, 
in the extreme, a couple hundred thousand items. If you're using them with 
upwards of a billion elements, you should redesign.

If you're dealing with untrusted data, then you're supposed to sanity check it 
before passing to any container. That's true for even the Standard Library 
containers: you don't ask it to allocate 6 GB just because you got that size 
from the network or some file, because it may succeed and that would still be a 
DoS due to high swap usage.

As for QXmlSimpleReader and for the whole QtXml module, it is in Done state. 
We're not working on it. We will fix security issues, though, so we need to 
analyse the details that you've supplied.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel Open Source Technology Center

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.