[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Simon Large <simon.tortoisesvn_at_gmail.com>
Date: Mon, 11 Apr 2011 22:55:48 +0100

On 11 April 2011 18:26, Stefan Küng <tortoisesvn_at_gmail.com> wrote:
> On 11.04.2011 19:15, Feldhacker, Chris wrote:
>> I would agree that it is a security vulnerability, but, yes, the risk
>> is low.
>
> No, it's not. Really.
>
>> It would be a "Sensitive Data Protection Vulnerability"
>> https://www.owasp.org/index.php/Category:Sensitive_Data_Protection_Vulnerability
>>
>>
> The first example even:
>> "Information leakage results from insufficient memory clean-up"
>
> this requires that the information is somehow revealed to the user,
> without the user having the privileges to see it (like in an error
> message on a website).

I think the issue is simply that when the program (TProc) exits, that
physical memory is freed and can then be allocated to another process.
If it contains sensitive information then the second process, which
may be completely unrelated, can see it.

Simon 

-- 
:       ___
:  oo  // \\      "De Chelonian Mobile"
: (_,\/ \_/ \     TortoiseSVN
:   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
:   /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718968
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-11 23:56:10 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.