|
Message-ID: <87leqwtr7t.fsf@hope.eyrie.org> Date: Tue, 06 Sep 2022 09:14:46 -0700 From: Russ Allbery <eagle@...ie.org> To: oss-security@...ts.openwall.com Subject: Re: sagemath denial of service with abort() in gmp: overflow in mpz type Georgi Guninski <gguninski@...il.com> writes: > If you can crash the python interpreter without syscalls and without > the kernel killing it for OOM, would you call this DoS? I would only call it a DoS if it crosses a privilege boundary. A user can always DoS themselves; that's just Ctrl-C. :) The implication here may be that it's unsafe to use sagemath on untrusted input, and that by doing so one creates a DoS opportunity. This would be far (far!) from the only tool for which that's true, and thus not particularly exciting, but possibly an opportunity for better documentation. (One could also reasonably desire that sagemath was safe for use with untrusted input as a feature, but that can be a surprisingly difficult feature to implement.) -- Russ Allbery (eagle@...ie.org) <https://www.eyrie.org/~eagle/>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.