Re: Local memory disclosure (was: libpurple CVE UnRequest)

[Tomas Hoger <thoger () redhat com>]

On Mon, 21 Mar 2011 12:02:40 -0400 (EDT) Steven M. Christey wrote:

> Disclosure of "local" memory to another user on the same system could 
> qualify for CVE inclusion, if the memory can contain something
> sensitive.

The patches fixes the code that was intended to clean up wipe certain
buffers that were used to store crypto material before freeing them.
As the CC on John was dropped, I guess he did not see your follow-up to
clarify his "local".

My understanding is that this issue may increase impact of some other
memory disclosure issue (encryption key leaked vs. e.g. a random chat
message), but requires some other flaw to be an issue.

-- 
Tomas Hoger / Red Hat Security Response Team