Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: On memory-leaks as security problems
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 7 Jan 2021 14:35:11 +0100 (CET)
On Thu, 7 Jan 2021, Jeffrey Walton wrote:
> Size does not matter. If it's a long running process then there's a risk of
> resource exhaustion.
Yes, that's what a memory-leak is. The question is rather if that makes
*every* leak a security problem and if not, which are and which aren't?
The difficulty lies in that grey area between "all" and "none".
> I would not lose a moment's sleep over it. Fix the issue, document it and
> move on.
curl is a fairly known project that is extremely widely used with lots of
people looking at it. Lots of people report found security issues in curl and
lots of companies and researches would LOVE to get a CVE registered against
curl with their name in it.
We can't ignore these researchers. They come to us with reports and claims. We
need to respond and we need to have a sensible consistent approach based on a
solid foundation of good logic and engineering.
Date: Thu, 7 Jan 2021 14:35:11 +0100 (CET)
On Thu, 7 Jan 2021, Jeffrey Walton wrote:
> Size does not matter. If it's a long running process then there's a risk of
> resource exhaustion.
Yes, that's what a memory-leak is. The question is rather if that makes
*every* leak a security problem and if not, which are and which aren't?
The difficulty lies in that grey area between "all" and "none".
> I would not lose a moment's sleep over it. Fix the issue, document it and
> move on.
curl is a fairly known project that is extremely widely used with lots of
people looking at it. Lots of people report found security issues in curl and
lots of companies and researches would LOVE to get a CVE registered against
curl with their name in it.
We can't ignore these researchers. They come to us with reports and claims. We
need to respond and we need to have a sensible consistent approach based on a
solid foundation of good logic and engineering.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/ ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2021-01-07