Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87leqwtr7t.fsf@hope.eyrie.org>
Date: Tue, 06 Sep 2022 09:14:46 -0700
From: Russ Allbery <eagle@...ie.org>
To: oss-security@...ts.openwall.com
Subject: Re: sagemath denial of service with abort() in gmp:
 overflow in mpz type

Georgi Guninski <gguninski@...il.com> writes:

> If you can crash the python interpreter without syscalls and without
> the kernel killing it for OOM, would you call this DoS?

I would only call it a DoS if it crosses a privilege boundary.  A user can
always DoS themselves; that's just Ctrl-C.  :)

The implication here may be that it's unsafe to use sagemath on untrusted
input, and that by doing so one creates a DoS opportunity.  This would be
far (far!) from the only tool for which that's true, and thus not
particularly exciting, but possibly an opportunity for better
documentation.  (One could also reasonably desire that sagemath was safe
for use with untrusted input as a feature, but that can be a surprisingly
difficult feature to implement.)

-- 
Russ Allbery (eagle@...ie.org)             <https://www.eyrie.org/~eagle/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.