On Thu, Jan 7, 2021 at 8:35 AM Daniel Stenberg <dan...@haxx.se> wrote: > > On Thu, 7 Jan 2021, Jeffrey Walton wrote: > > > Size does not matter. If it's a long running process then there's a risk of > > resource exhaustion. > > Yes, that's what a memory-leak is. The question is rather if that makes > *every* leak a security problem and if not, which are and which aren't? > > The difficulty lies in that grey area between "all" and "none".
All memory leaks can lead to resource exhaustion on platforms that use managed languages due to the process lifecycle model. The managed languages load and unload a shared object multiple times throughout the lifetime of the process. I guess that means, if cURL can run on a managed platform, then the potential for resource exhaustion exists, and the memory leak is CVE worthy. Jeff ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
