Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 16 Mar 2010 18:17:23 +0000
From: Brian Stafford <brian@...fford.uklinux.net>
To: Ludwig Nussel <ludwig.nussel@...e.de>
Cc: oss-security@...ts.openwall.com, libesmtp@...fford.uklinux.net,
	security@...ntu.com, Pawel Salek <pawsa@...ochem.kth.se>,
	jskarvad@...hat.com
Subject: Re: CVE Request: libesmtp does not check NULL bytes
 in commonName

Ludwig Nussel wrote:
> Brian Stafford wrote:
>   
>> Ludwig Nussel wrote:
>>     
>>> Brian Stafford wrote:
>>>   
>>>       
>>>> I think the best approach is to apply Pawel's patch as this is the 
>>>>         
>>> I must have missed that patch. Could you re-post it?
>>>   
>>>       
>> It's available at https://bugzilla.redhat.com/attachment.cgi?id=399131
>>     
>
> Doesn't that lack a null byte check for subjAltNames?
>
> cu
> Ludwig
>
>   
You're right.  I'll look over your patch again.  One small issue I have 
is that declarations are interspersed with code which is not standard 
pre-C99, although if speed is of the essence this can be ignored as I 
will get an official libESMTP release out soon.

Regards
Brian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.