oss-sec mailing list archives
Re: sagemath denial of service with abort() in gmp: overflow in mpz type
From: Seth Arnold <seth.arnold () canonical com>
Date: Wed, 7 Sep 2022 01:30:17 +0000
On Tue, Sep 06, 2022 at 08:45:28AM -0400, Jeffrey Walton wrote:
One of the problems with GMP is, it will crash instead of returning failure. The problem becomes more acute if the program using GMP is handling sensitive information, like a private key or passphrase. The sensitive material can be written to a dump file and can be sent to an error reporting service.
Could an application that handles secrets and uses GMP use prctl(2)'s PR_SET_DUMPABLE command to prevent dumping the core file? It'd also prevent using ptrace-based debugging, so it's not without costs, but if it handles secrets, that's probably also a good idea. Thanks
Attachment:
signature.asc
Description:
Current thread:
- sagemath denial of service with abort() in gmp: overflow in mpz type Georgi Guninski (Sep 06)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Jeremy Stanley (Sep 06)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Michael Orlitzky (Sep 06)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Jeffrey Walton (Sep 06)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Seth Arnold (Sep 06)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Georgi Guninski (Sep 07)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Jeremy Stanley (Sep 07)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Russ Allbery (Sep 07)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Georgi Guninski (Sep 08)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Georgi Guninski (Sep 14)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Jeremy Stanley (Sep 06)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Jeremy Stanley (Sep 06)
- Re: sagemath denial of service with abort() in gmp: overflow in mpz type Georgi Guninski (Sep 06)