Date: Tue, 16 Mar 2010 18:17:23 +0000 From: Brian Stafford <brian@...fford.uklinux.net> To: Ludwig Nussel <ludwig.nussel@...e.de> Cc: oss-security@...ts.openwall.com, libesmtp@...fford.uklinux.net, security@...ntu.com, Pawel Salek <pawsa@...ochem.kth.se>, jskarvad@...hat.com Subject: Re: CVE Request: libesmtp does not check NULL bytes in commonName Ludwig Nussel wrote: > Brian Stafford wrote: > >> Ludwig Nussel wrote: >> >>> Brian Stafford wrote: >>> >>> >>>> I think the best approach is to apply Pawel's patch as this is the >>>> >>> I must have missed that patch. Could you re-post it? >>> >>> >> It's available at https://bugzilla.redhat.com/attachment.cgi?id=399131 >> > > Doesn't that lack a null byte check for subjAltNames? > > cu > Ludwig > > You're right. I'll look over your patch again. One small issue I have is that declarations are interspersed with code which is not standard pre-C99, although if speed is of the essence this can be ignored as I will get an official libESMTP release out soon. Regards Brian
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.