Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220907013017.GA1357227@millbarge>
Date: Wed, 7 Sep 2022 01:30:17 +0000
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: sagemath denial of service with abort() in gmp:
 overflow in mpz type

On Tue, Sep 06, 2022 at 08:45:28AM -0400, Jeffrey Walton wrote:
> One of the problems with GMP is, it will crash instead of returning
> failure. The problem becomes more acute if the program using GMP is
> handling sensitive information, like a private key or passphrase. The
> sensitive material can be written to a dump file and can be sent to an
> error reporting service.

Could an application that handles secrets and uses GMP use prctl(2)'s
PR_SET_DUMPABLE command to prevent dumping the core file? It'd also
prevent using ptrace-based debugging, so it's not without costs, but if
it handles secrets, that's probably also a good idea.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.