[gnutls-devel] GnuTLS | Fix memleak in 'iov_store_grow' (!1277)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Fri Jun 5 14:32:29 CEST 2020

Marius Steffen commented:

Okay, I'm sorry to be so frank, but this is kinda annoying.

I don't think you've realized the severity of this bug, and why _immediate_ fixing, merging and releasing are necessary:
You're developing a library for security relevant stuff, and it's being used in a widely deployed software, namely Samba. So this this little line of code leads to all Samba 4.12+ servers being susceptible to extremely easy and reproducible Denial-of-Service attacks by using up all available memory, hence crashing the server. This is solely a bug in *this* library, not Samba.

This is a security incident, and it should be treated like one, not like a missing feature. Pipelines are okay, I thoroughly tested the fix in my setup, and now you're practically wasting time by refactoring and reevaluating your implementation.

Please. realize. how. urgent. this. is. It's nice to find and fix other *potential* future bugs, but _deploy_(!) the current fix first. Otherwise, maybe you should switch to some less security relevant piece of software.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1277#note_356114305
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200605/7ad0b9c7/attachment.html>

More information about the Gnutls-devel mailing list