Date: Thu, 10 Apr 2014 16:25:47 -0700 From: Xin Li <delphij@delphij.net> To: FreeBSD stable <freebsd-stable@freebsd.org> Subject: Re: OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround? Message-ID: <5347287B.9010900@delphij.net> In-Reply-To: <20140408180026.GC2676@e-Gitt.NET> References: <20140408180026.GC2676@e-Gitt.NET>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/08/14 11:00, Oliver Brandmueller wrote: > Would it probably help (with the performance impact in mind) to set > malloc option junk:true to lower the risk of leakting > information? [...] > Anyone with better insights could comment on that? Neither will help for CVE-2014-0160. It's not the buffer newly allocated didn't get initialized, it's reading beyond boundary of another buffer and thus these mitigation at allocation side have nothing to do with the problem. Hope this helps. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTRyh6AAoJEJW2GBstM+nsg6gP/RLb6lH9dY07IRIUHLIfnE1a dzVmVnehS3KCkI6YZJLQSSaTSi48TRNttQMw1skNVffpQ6Xnk8aT8TIQI6YE61I0 m2DhXzcFylCyFpv2rOy0Y6c90uHoE98fwI2k1qA9cV4hxHN9M0hL1HxX35Wt1Sy/ vXcnbh4YUu17Pnu7t8irEcCI/Q+iz9Xqmjp9FzUT4+il5Ti4kmOerbGV7CKl+3Gj kJApWKkZAavIqDCP8NthwJsK/eH1CRefU1HGMfAFwU7qd4XOaS655oPLS53lGPeK r2wXzN2oKlXDchO2gvacGipDQN8QLNqfzPnMEwCvwaCsBcNYJt6suyXdYS+M8HWs AwRsR4KeS+EF8a5OMjCFOUCSVkg5E88E6ZtwgmIehZyKRZIncY1E1QaMw2ys9kWX Dy4MKGsSjmEoa2Gq/IGZQ9rY44scV8HysVo2V6JY7fQZm1s+EO5MjLcRooXiKeL0 GvM+pMTXNCfU5eXnkBW2vLKNrtbY7gFuhcTY/ixKCeu/WZ0SuwwgxXGGUHazsOS0 1Wl1Y7hjZao3CMDiaR0RUW43rSk9hxW/MMrh5+29kCoPERFeh3NCPqkdP4Wk+HiT 8PZzcBmJGiC26vJRWCSotMLCYwKSBuIQf+OlOgIs+9ZXcph36JowMz3GffP1ezbB 1pZOwklyRdMn5lhbtXdN =Et0+ -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5347287B.9010900>