[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nano-devel] Vulnerability

From: Mike Frysinger
Subject: Re: [Nano-devel] Vulnerability
Date: Mon, 14 Jan 2013 11:28:45 -0500
User-agent: KMail/1.13.7 (Linux/3.7.1; KDE/4.6.5; x86_64; ; )

On Sunday 13 January 2013 20:26:46 Joshua Rogers wrote:

please don't top post

> Well, it is classified as a vulnerability, even if it is a very small
> one(DoS)

a process that runs away isn't an immediate DoS.  what service exactly are you 
denying access to ?  the immediate editor env ?  the cpu ?  any semi-sane OS 
isn't going to be severely impacted by a runaway editor

as for the former, have you looked at how nano works ?  it reads *the entire 
file* into memory before editing it.  here's another "DoS" for you:
        $ dd if=/dev/zero of=foo seek=100000000 count=1
        $ du -bh foo
        48G     foo
        $ nano foo
        <uses cpu forever as it tries to allocate memory>

you could probably argue it's not the greatest design, but it's not a sec 

> I'm just trying to make it so when you google my name, people don't find
> my previous Black Hat activities, which I've since changed.
> And a CVE entry with like that would be great.

if you're a Black Hat, then you shouldn't have a problem making a new name as 
a White Hat.  but filing CVEs for interactive editors like nano isn't going to 
get you much cred.

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]