Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers

From: Ben Reser <ben_at_reser.org>
Date: Sat, 12 Apr 2014 11:33:36 -0700

On 4/12/14, 1:30 AM, Thorsten Schöning wrote:
> Are you sure about that? From my understanding it is necessary that
> data passes OpenSSL's memory to get retrieved because it implements
> it's own malloc. I had the feeling that in case of heartbleed only
> sending passwords over http would have been the "more secure" way
> because in that case they wouldn't have been retrievable because they
> never passed memory allocated using OPENSSL_malloc() at all.

No that's not accurate at all. The malloc implementation doesn't matter at
all, the process can read memory that's allocated by any memory allocator.
Ultimately all of them have to use the same kernel interfaces to request the
memory.

The requirements are that the memory be allocated in a larger memory address
than the memory being used for the heartbeat feature and that it be within 64k
of that memory space. With memory fragmentation and a lot of requests just
about anything can be retrieved.
Received on 2014-04-12 20:32:56 CEST

This message: [ Message body ]
Next message: Stefan Sperling: "Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers"
Previous message: Justin Mrkva: "Restricting repository access with authz"
In reply to: Thorsten Schöning: "Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers"
Next in thread: Stefan Sperling: "Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers"
Reply: Stefan Sperling: "Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers"
Reply: Nico Kadel-Garcia: "Re: Recent Heartbleed OpenSSL bug may affect HTTPS Subversion servers"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]