Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220906145100.kmnuhcj4slmbrokz@yuggoth.org>
Date: Tue, 6 Sep 2022 14:51:01 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: sagemath denial of service with abort() in gmp:
 overflow in mpz type

On 2022-09-06 16:26:58 +0300 (+0300), Georgi Guninski wrote:
> If you can crash the python interpreter without syscalls and
> without the kernel killing it for OOM, would you call this DoS?

I didn't say it wasn't a denial of service, but you can trivially
create all manner of "denials of service" (and far, far worse things
too) of the CPython interpreter and anything running in it by asking
it to execute arbitrary Python code. It's more a question of whether
that's something that can or even should be "fixed." If a program's
author chooses to intentionally pass user-supplied code to CPython,
hopefully they do so knowing all the risks and informing their users
of the same.
-- 
Jeremy Stanley

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.