oss-sec mailing list archives
Re: A note on DBus and the Hash DOS
From: Hanno Böck <hanno () hboeck de>
Date: Wed, 7 May 2014 21:09:12 +0200
On Wed, 07 May 2014 12:30:41 -0600 Kurt Seifried <kseifried () redhat com> wrote:
So many years ago some hash dos stuff happened. I checked into a variety of programs using embedded copies of various things like XML/etc. Also other programs that use hashing for stuff, one of which is DBus. The bad news: DBus has a vulnerable hash implementation The good news: there doesn't appear to be many (any?) ways to inject data easily to trigger this vulnerability.
I don't know how others feel about this, but I'd be more careful with such cases. Basically this sounds to me like a "we don't know if it is a vulnerability, but it could be". And there I'd say "in doubt be on the safe side". Rate them as "very low impact", don't treat them with any urgency, but I think such issues should be fixed and should be called vulnerabilities nevertheless. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- A note on DBus and the Hash DOS Kurt Seifried (May 07)
- Re: A note on DBus and the Hash DOS Hanno Böck (May 07)
- Re: A note on DBus and the Hash DOS Kurt Seifried (May 07)
- Re: A note on DBus and the Hash DOS Hanno Böck (May 07)