[Cryptography] It's GnuTLS's turn: "Critical new bug in crypto library leaves Linux, apps open to drive-by attacks"
Dmitry Belyavsky
beldmit at gmail.com
Tue Jun 3 15:51:59 EDT 2014
Hello Jerry,
On Tue, Jun 3, 2014 at 9:57 PM, Jerry Leichter <leichter at lrw.com> wrote:
> "A recently discovered bug in the GnuTLS cryptographic code library puts
> users of Linux and hundreds of other open source packages at risk of
> surreptitious malware attacks until they incorporate a fix developers
> quietly pushed out late last week."
>
>
> http://arstechnica.com/security/2014/06/critical-new-bug-in-crypto-library-leaves-linux-apps-open-to-drive-by-attacks/
>
> It's a buffer overflow induced by sending an overly long session ID.
> Allegedly code execution has already been demonstrated.
>
> So now we've had serious attacks on Apple's private SSL implementation,
> OpenSSL, and now GnuTLS. Is anything left standing? What does Windows
> use for its SSL implementation?
>
NSS seems to be still unbroken :-)
> If this isn't the death of "it's open source, any bugs will be found
> quickly", I don't know what will be. But it really is way past time to get
> beyond that, and every other technique we're currently using. They ain't
> working. We have new tools - better languages, better analyzers, better
> ways of managing sensitive code bases. Maybe they're better, maybe they
> aren't - but we'll never find out because we aren't using any of them.
>
For crypto we still have mostly Old Faithful С, don't we?
But yes, I think that, having a dozen megabytes of source code, nobody can
find such bugs.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140603/2253a49f/attachment.html>
More information about the cryptography
mailing list