On Fri, Oct 31, 2025 at 12:04 PM Nicolas George <[email protected]> wrote: > > Vincent Lefevre (HE12025-10-31): > > You would have seen that there is potential denial of service > > (process crashes). > > At worst, true. It is a mistake to lump denials of service together with > real security flaws. For starters, is is possible to deny service by the > virtue of being bigger than the target, without any flaw in the target.
I think they are two different attack vectors. A DDoS is different from a crash. Both affect Availability (re: CIA), but the remediations are different. For DDoS, you often get the upstream network provider to provide protections and filtering. For a crash, you have to fix the code. > > Worse, Fabio Degrigis could trigger a SIGSEGV on a memcpy: > > > > https://www.openwall.com/lists/oss-security/2025/10/18/4 > > > > which would mean a bad pointer or buffer overflow. > > → a crash. The thing about a crash is (or a call to abort(), a SIGABRT or a SIGSEGV), it can corrupt state. So your database (or other persistent data) could become corrupt. That's an attack on Integrity (re: CIA). > > > Almost all software runs on Windows or Macos. So what? > > Here we're on Debian. > > You have not answered: so what if most software does something? Is it > supposed to imply that it is a good thing? > > > This is silly. > > Absolutely not. In terms of security and stability, there is no > difference between a package that you have not installed because you > have chosen not to install it and a package that you have not installed > because it is not available. Jeff
