oss-security - Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <Y2QEz7/6u65wE4cd@wopr>
Date: Thu, 3 Nov 2022 11:13:35 -0700
From: Kurt H Maier <khm@...ops.net>
To: oss-security@...ts.openwall.com
Subject: Re: Re: OpenSSL X.509 Email Address 4-byte Buffer
 Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer
 Overflow (CVE-2022-3786)

On Thu, Nov 03, 2022 at 03:36:51PM -0000, Tavis Ormandy wrote:
> 
> Hanno and I have contributed months of programmer time on openssl
> research and produced a ton of CRITICAL/HIGH issues over the years, not
> to mention nss, gnutls, etc. What you're looking at isn't Monday-morning
> quarterbacking on an unrelated list - this is active prolific opensource
> security researchers discussing their opensource security work on the
> opensource security mailing list :)

I'm aware of your and Hanno's work.  In the past it has not appeared
ex-post-facto in response to a thread where someone is trying to guess
which programming language theory would squash the bug.  That's why I'm
expressing confusion.  Feel free to ignore me.

khm

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.