[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Avice about the importance of heap overflow in hdf5


On Tue, 22 Nov 2016, Ola Lundqvist wrote:
> All of them are related to heap overflow that "can potentially cause
> arbitrary code exection".
> This is a security problem, but the question is how important it is.
> The crash is a DoS problem, but my guess that from that perspective the
> worst thing that will happen is that the person opening the file will be a
> little upset and blame the person sending the file.

We're speaking of a library, you don't know how the library is used
by our users (outside of Debian packages). And even in Debian it's hard to
investigate how it's used everywhere.

Thus I would think twice before deciding to tag this no-dsa.

> I do however think that this is less of an issue as files are not loaded
> automatically (my assumption), but rather by a person who get a file from a
> hopefully rather trusted source.

I would not do this assumption.

> Also I have in other discussions got the impression that gcc nowadays have
> some kind of heap protection that prevent overwrite of data causing
> arbitrary code execution. I may be wrong however.

Looking at hdf5 in wheezy, I don't see any hardening feature enabled. I
wonder where you saw that gcc has such protections by default in Debian.

> All in all I'm leaning towards marking these as no-dsa, but I would like
> your advice before doing so.

I would not mark them no-dsa.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: