Full Disclosure mailing list archives
Re: [TZO-27-2009] Firefox Denial of Service (Keygen)
From: Tavis Ormandy <taviso () sdf lonestar org>
Date: Thu, 28 May 2009 22:52:15 +0200
Thierry Zoller <Thierry () Zoller lu> wrote:
Hi Tavis, The bug title says Denial of service, not information leak, or crypto leak or whatever.
I'm confused what it is you're replying to, I was clearly pointing out your misunderstanding of the term "memory leak" in the "impact" section of your post lead you to vastly over estimate the potential impact of your bug.
That's it, one might want to write a paper how, by indirect means memory leaks can wreak havoc, that's an exercise I happily leave to the reader. The point was that you better analyse them instead of having them sit there a few months. period, nothing more nothing less.
A memory leak in an interactive program that requires you to view a hostile page for 9hours is clearly of negligible security impact. The reason you are having trouble comprehending why the mozilla developers have evidently triaged this issue as low priority is that they are aware that "memory leak" != "information leak". I'm sure that if you were to familiarise yourself with the some of the rudimentary concepts involved in dynamic memory allocation you will understand their decision. Rest assured, there is zero possibility that a memory leak can result in "reduced entropy, weak key material etc" as you mentioned in email. Thanks, Tavis. -- ------------------------------------- taviso () sdf lonestar org | finger me for my pgp key. ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [TZO-27-2009] Firefox Denial of Service (Keygen) Thierry Zoller (May 27)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Jeremy Brown (May 27)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Pete Licoln (May 27)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Tavis Ormandy (May 28)
- Message not available
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Tavis Ormandy (May 28)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Thierry Zoller (May 28)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Tavis Ormandy (May 28)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Nico Golde (May 28)
- Message not available
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Jeremy Brown (May 27)