[14446] in cryptography@c2.net mail archive
Protocol implementation errors
daemon@ATHENA.MIT.EDU (Bill Frantz)
Fri Oct 3 13:17:04 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20031002024014.67E1C7B43@berkshire.research.att.com>
Date: Thu, 2 Oct 2003 14:50:21 -0700
To: cryptography@metzdowd.com
From: Bill Frantz <frantz@pwpconsult.com>
Cc: e-lang@mail.eros-os.org
From:
> -- Security Alert Consensus --
> Number 039 (03.39)
> Thursday, October 2, 2003
> Network Computing and the SANS Institute
> Powered by Neohapsis
>
>*** {03.39.004} Cross - OpenSSL ASN.1 parsing vulns
>
>OpenSSL versions 0.9.6j and 0.9.7b (as well as prior) contain multiple
>bugs in the parsing of ASN.1 data, leading to denials of services. The
>execution of arbitrary code is not yet confirmed, but it has not been
>ruled out.
This is the second significant problem I have seen in applications that use
ASN.1 data formats. (The first was in a widely deployed implementation of
SNMP.) Given that good, security conscience programmers have difficultly
getting ASN.1 parsing right, we should favor protocols that use easier to
parse data formats.
I think this leaves us with SSH. Are there others?
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | "There's nothing so clear as | Periwinkle
(408)356-8506 | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
