Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: On memory-leaks as security problems
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Tomalak Geret'kal via curl-library <curl-library_at_cool.haxx.se>
Date: Fri, 8 Jan 2021 13:19:51 +0000
On 07/01/2021 13:47, Jeffrey Walton via curl-library wrote:
> All memory leaks can lead to resource exhaustion on
> platforms that use
> managed languages due to the process lifecycle model.
>
> The managed languages load and unload a shared object multiple times
> throughout the lifetime of the process.
>
> I guess that means, if cURL can run on a managed platform, then the
> potential for resource exhaustion exists, and the memory leak is CVE
> worthy.
Can't say I'm really seeing the relevance of managed
platforms. Leaks can have impact anywhere. You don't need to
be fooling a garbage collector to get a memory leak. So just
saying any leak is CVE worthy because you can run cURL on a
managed platform, is the same as saying any leak is CVE
worthy always. Which it isn't.
Cheers
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-08
Date: Fri, 8 Jan 2021 13:19:51 +0000
On 07/01/2021 13:47, Jeffrey Walton via curl-library wrote:
> All memory leaks can lead to resource exhaustion on
> platforms that use
> managed languages due to the process lifecycle model.
>
> The managed languages load and unload a shared object multiple times
> throughout the lifetime of the process.
>
> I guess that means, if cURL can run on a managed platform, then the
> potential for resource exhaustion exists, and the memory leak is CVE
> worthy.
Can't say I'm really seeing the relevance of managed
platforms. Leaks can have impact anywhere. You don't need to
be fooling a garbage collector to get a memory leak. So just
saying any leak is CVE worthy because you can run cURL on a
managed platform, is the same as saying any leak is CVE
worthy always. Which it isn't.
Cheers
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-08