Re: [Libguestfs] [PATCH nbdkit 0/4] Multiple valgrind improvements and possible security fix.

On 12/2/18 10:39 AM, Richard W.M. Jones wrote: >I worked out why valgrind wasn't being applied to nbdkit when run by >many of the tests (patches 1-2). Unfortunately I'm not able to make >it actually fail tests when valgrind fails. Although the situation is >marginally improved in that you can now manually examine the *.log >files and find valgrind failures that way. Also adds valgrinding of >the Python plugin (patch 3). > >Along the way I found that when we create a TLS session object we >never free it, which is a bit of a problem (although easy to fix - >patch 4). > >I'll need to backport this fix to every stable branch. It's not clear >how exploitable this is -- it's my feeling that you'd need to open >millions of TLS sessions which would take forever, and the result >would only be a denial of service as nbdkit runs out of memory and >crashes. Can the leak happen with merely a port probe, or only by someone that was able to get past the handshake? If the former, then it is a vehicle for DoS attacks and probably worth a CVE (because the person performing the port probe can crash nbdkit from servicing real clients, even though the attacker does not own TLS credentials);

if the latter, it is not a security bug (no escalation in privilege by locking yourself out).