curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: On memory-leaks as security problems

From: Tomalak Geret'kal via curl-library <>
Date: Fri, 8 Jan 2021 13:19:51 +0000

On 07/01/2021 13:47, Jeffrey Walton via curl-library wrote:
> All memory leaks can lead to resource exhaustion on
> platforms that use
> managed languages due to the process lifecycle model.
> The managed languages load and unload a shared object multiple times
> throughout the lifetime of the process.
> I guess that means, if cURL can run on a managed platform, then the
> potential for resource exhaustion exists, and the memory leak is CVE
> worthy.

Can't say I'm really seeing the relevance of managed
platforms. Leaks can have impact anywhere. You don't need to
be fooling a garbage collector to get a memory leak. So just
saying any leak is CVE worthy because you can run cURL on a
managed platform, is the same as saying any leak is CVE
worthy always. Which it isn't.


Received on 2021-01-08