[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Avice about the importance of heap overflow in hdf5


Thank you. It is now in dla-needed.txt

// Ola

On 24 November 2016 at 14:59, Raphael Hertzog <hertzog@debian.org> wrote:

On Tue, 22 Nov 2016, Ola Lundqvist wrote:
> All of them are related to heap overflow that "can potentially cause
> arbitrary code exection".
> This is a security problem, but the question is how important it is.
> The crash is a DoS problem, but my guess that from that perspective the
> worst thing that will happen is that the person opening the file will be a
> little upset and blame the person sending the file.

We're speaking of a library, you don't know how the library is used
by our users (outside of Debian packages). And even in Debian it's hard to
investigate how it's used everywhere.

Thus I would think twice before deciding to tag this no-dsa.

> I do however think that this is less of an issue as files are not loaded
> automatically (my assumption), but rather by a person who get a file from a
> hopefully rather trusted source.

I would not do this assumption.

> Also I have in other discussions got the impression that gcc nowadays have
> some kind of heap protection that prevent overwrite of data causing
> arbitrary code execution. I may be wrong however.

Looking at hdf5 in wheezy, I don't see any hardening feature enabled. I
wonder where you saw that gcc has such protections by default in Debian.

> All in all I'm leaning towards marking these as no-dsa, but I would like
> your advice before doing so.

I would not mark them no-dsa.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: