• Eezyville@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    6 months ago

    lmao! Man that’s hilarious!

    “We have a memory leak that could lead to a security issue.We should do something about it.”

    “I made a process that periodically kills those tasks. No one will notice the problem now.”

    The unicorn killer will have a memory leak as well. 💀

      • ipkpjersi
        link
        fedilink
        arrow-up
        3
        ·
        6 months ago

        I don’t think memory leaks could ever amount to a security vulnerability

        In theory it could, after all there are technically denial-of-service vulnerabilities (not DoS/DDoS attacks, that is something different) according to CVE Numbering Athorities.

        • Maybe I’m misunderstanding you, but DoS is exactly the same thing as “denial of service”.

          My point is that memory leaks can only degrade availability; they are categorically distinct from security vulnerabilities.

          • ipkpjersi
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            6 months ago

            I think you might be misunderstanding me.

            According to the CVE Numbering Athorities, there can be vulnerabilities that result in service being denied, and they refer to them as a denial-of-service vulnerability. For example, there can be a bug in a program that causes it to crash if you perform a certain set of steps/actions, thus resulting in the service being denied. Whereas traditionally, a DoS/DDoS attack is simply flooding a target with more bandwidth than they have available downstream bandwidth. Sending massive amounts of data to overwhelm a service is not the same thing as finding a unique set of actions to cause the program to crash.

            So in theory, yes, a memory leak could amount to and result in a security vulnerability, like if the memory leak is reproducible and so severe it causes a service to crash.

            • Aha, I didn’t realize compromising availability was sufficient for the CVE definition of security vulnerability. Projects I’ve worked on have typically excluded availability, though that may not be the norm.

              And I see your point about some exploits being highly asymmetric in the attacker’s favor, compared to classic [D]DoS.