Full Disclosure mailing list archives
Re: [TZO-27-2009] Firefox Denial of Service (Keygen)
From: Thierry Zoller <Thierry () Zoller lu>
Date: Thu, 28 May 2009 23:15:45 +0200
Hi Travis, With all due respect:
A memory leak in an interactive program that requires you to view a hostile page for 9hours is clearly of negligible security impact.
Ok I will take the strawman : The impact is Denial of Service. Ignoring that this discussion is of *any* interest to anybody or even for this overly stupid problem : - 9 hours for 300+ megabytes - x minutes for x bytes Only a few bytes of "k" leads to the compromises of the private key. (DSA). Does this matter, not really. It's your key anyways. Does something "leak" to somewhere were it's not supposed to be, no. Memory is just not correctly freed. --- I'm sure that if you were to familiarise yourself with the some of the rudimentary concepts involved in dynamic memory allocation you will understand their decision. --- Yep, I am an ignorant idiot, can we move on now ? If *you* can't imagine a setup or extreme border case where (as example) entropy that is being collected is indirectly affected, be it in quality of entropy or size, then clearly *I* must be the idiot that doesn't understand the concept of memory allocations. --- Rest assured, there is zero possibility that a memory leak can result in "reduced entropy, weak key material etc" as you mentioned in email. ---- If you want to discuss further I'd recommend to take it off list. General comment: I am interesting to see the kind of feedback I get when posting an Firefox bug as opposed to bugs of other vendors. It's almost like you hit a little boy and everybody steps into for his defence. Anyways, too much noise for such a stupid, near irrelevant but. -- http://blog.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [TZO-27-2009] Firefox Denial of Service (Keygen) Thierry Zoller (May 27)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Jeremy Brown (May 27)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Pete Licoln (May 27)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Tavis Ormandy (May 28)
- Message not available
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Tavis Ormandy (May 28)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Thierry Zoller (May 28)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Tavis Ormandy (May 28)
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Nico Golde (May 28)
- Message not available
- Re: [TZO-27-2009] Firefox Denial of Service (Keygen) Jeremy Brown (May 27)