Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAH8yC8k8C-gp9upSpJLsXrhBB5-qSnKGeP34+32A-_s5YG3UTA@mail.gmail.com>
Date: Tue, 6 Sep 2022 08:45:28 -0400
From: Jeffrey Walton <noloader@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: sagemath denial of service with abort() in gmp:
 overflow in mpz type

On Tue, Sep 6, 2022 at 7:52 AM Jeremy Stanley <fungi@...goth.org> wrote:
>
> On 2022-09-06 08:47:58 +0300 (+0300), Georgi Guninski wrote:
> [...]
> > sagemath gives access to the python interpreter, so code execution
> > is trivial.
> [...]
>
> I'm not familiar with sagemath, but is it intended to protect
> against such cases? Note that even if all it does is pass
> expressions into CPython's eval(), it's pretty much impossible to
> guard against misuse without completely sandboxing the underlying
> processes. Denial of service scenarios are really the least of
> worries in that case. Many articles have been written over the years
> about this, though one of the more recent and thorough ones is:
> https://netsec.expert/posts/breaking-python3-eval-protections/

One of the problems with GMP is, it will crash instead of returning
failure. The problem becomes more acute if the program using GMP is
handling sensitive information, like a private key or passphrase. The
sensitive material can be written to a dump file and can be sent to an
error reporting service. So there's a DoS in the app, and a possible
egress of sensitive information outside the app's security boundary.

It is not clear to me whether that is happening in this instance, though.

Stepping back a bit, the GMP library is setting a policy for an
application. That is, GMP is setting the policy of "crash instead of
fail." An application should set their policy, not libraries. Apps are
in the position to determine  strategy they need, not libraries.
Libraries know nothing about an application's security requirements or
strategy.

Jeff

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.