OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround?
Xin Li
delphij at delphij.net
Thu Apr 10 23:25:48 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 04/08/14 11:00, Oliver Brandmueller wrote:
> Would it probably help (with the performance impact in mind) to set
> malloc option junk:true to lower the risk of leakting
> information?
[...]
> Anyone with better insights could comment on that?
Neither will help for CVE-2014-0160.
It's not the buffer newly allocated didn't get initialized, it's
reading beyond boundary of another buffer and thus these mitigation at
allocation side have nothing to do with the problem.
Hope this helps.
Cheers,
- --
Xin LI <delphij at delphij.net> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBCgAGBQJTRyh6AAoJEJW2GBstM+nsg6gP/RLb6lH9dY07IRIUHLIfnE1a
dzVmVnehS3KCkI6YZJLQSSaTSi48TRNttQMw1skNVffpQ6Xnk8aT8TIQI6YE61I0
m2DhXzcFylCyFpv2rOy0Y6c90uHoE98fwI2k1qA9cV4hxHN9M0hL1HxX35Wt1Sy/
vXcnbh4YUu17Pnu7t8irEcCI/Q+iz9Xqmjp9FzUT4+il5Ti4kmOerbGV7CKl+3Gj
kJApWKkZAavIqDCP8NthwJsK/eH1CRefU1HGMfAFwU7qd4XOaS655oPLS53lGPeK
r2wXzN2oKlXDchO2gvacGipDQN8QLNqfzPnMEwCvwaCsBcNYJt6suyXdYS+M8HWs
AwRsR4KeS+EF8a5OMjCFOUCSVkg5E88E6ZtwgmIehZyKRZIncY1E1QaMw2ys9kWX
Dy4MKGsSjmEoa2Gq/IGZQ9rY44scV8HysVo2V6JY7fQZm1s+EO5MjLcRooXiKeL0
GvM+pMTXNCfU5eXnkBW2vLKNrtbY7gFuhcTY/ixKCeu/WZ0SuwwgxXGGUHazsOS0
1Wl1Y7hjZao3CMDiaR0RUW43rSk9hxW/MMrh5+29kCoPERFeh3NCPqkdP4Wk+HiT
8PZzcBmJGiC26vJRWCSotMLCYwKSBuIQf+OlOgIs+9ZXcph36JowMz3GffP1ezbB
1pZOwklyRdMn5lhbtXdN
=Et0+
-----END PGP SIGNATURE-----
More information about the freebsd-stable
mailing list