[nanomsg] update on a previously reported critical jnano security issue
- From: Matthew Hall <mhall@xxxxxxxxxxxxxxx>
- To: nanomsg@xxxxxxxxxxxxx
- Date: Sat, 21 Mar 2015 22:52:37 -0700
Hi guys,
I am also happy to see a bit of friendly excitement and controversy with good
old nanomsg. I originally chose to use it for a project of mine because I
appreciated the POSIX-like C99-like simplicity, the performance possibilities
gives its similarity to ZeroMQ, and the amount of trust I could place in Martin
Sustrik & Co. to get the details right. I also liked the decent selection of
language bindings so I could have nice clean IPC between the different
components of my projects.
When doing a secure code review against the Java jnano bindings almost 1 year
ago (!), I discovered some serious memory / pointer handling security issues
which could potentially allow full access to arbitrary memory inside of the JVM
or the JVM's C IO heap (depending upon the details of how all of this is laid
out in memory by the JDK, which is outside my scope of expertise with JDK code
hacking).
My entire career has been spent working in security engineering, mostly at
small companies, so I often get overloaded and can't always do the best job
patching what I've found. But this time I finally made some patches and tested
them at a light level, but I need the community to help me take this to the
next level and help me run the jnano test suites, and help to review my patches
for JNI and nanomsg usage correctness, and then merge them into jnano, so that
I don't end up forking to get my fixes, or being forced to leave the upstream
community vulnerable to remote JDK compromise.
https://github.com/gonzus/jnano/issues/4
Thanks,
Matthew
Other related posts:
