[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Triage advice for CVE-2020-8492

Hi Ben

Thank you. I realize that I misunderstood things. It is the server side that sends this string, not the user on the client side. I'll adjust my analysis accordingly.
This means that a malicious server can cause a DoS on client side.

Best regards

// Ola

On Sun, 2 Feb 2020 at 23:55, Ben Hutchings <ben@decadent.org.uk> wrote:
On Fri, 2020-01-31 at 21:18 +0100, Ola Lundqvist wrote:
> Hi fellow LTS development team
> I'm not sure how to handle CVE-2020-8492. It is a client side vulnerability
> and what it can cause it CPU load issue (on the client side as I
> understand). I can not really see how it can be exploited in any normal
> client. Sure if the attacker creates new python code it can, but then it
> can do that anyway because an infinite loop is quite easy to do in any
> python code.

I don't know for sure, but I think the test case given in the upstream
issue exercises part of the normal response handling.  I think it shows
what happens if a server sends a response with the header field:

www-authenticate: Basic ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, foo realm


> So I think it is probably a minor issue, but I would like to check with
> others for an opinion,.
> For now I have marked as ignored, but if people have good arguments I will
> change my mind.
> Best regards
> // Ola
Ben Hutchings
I haven't lost my mind; it's backed up on tape somewhere.

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: