Date: Tue, 24 Apr 2012 19:12:52 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: Tavis Ormandy <taviso@...xchg8b.com> Subject: Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110) All - On Tue, Apr 24, 2012 at 04:31:51PM +0200, Tavis Ormandy wrote: > Oops, indeed I didn't test with the 0.9.x build. I had tried (and > failed) to mail it to openssl-security, but their MTA rejected it, > so just skipped it as the 1.0.0 patch seemed correct. > > At the risk of being flamed for my progressive views on email size, > please turn up the limits for security aliases! :-) This is getting a bit off-topic indeed, but here are a few points: 1. Yes, I agree that private security contact addresses should be more liberal in what they accept (as compared to mailing lists with larger numbers of subscribers). This is why, for example, Tavis' message with the attached 1.3 MB file was delivered to me just fine, but did not make it through to oss-security. 2. Besides message size, also important is how the message may be treated by anti-spam and anti-virus software (which may arguably be unreasonable to use, especially in such cases, but may happen to be in place on a mail gateway anyway). openssl-1.0.1-testcase-32bit.crt.gz uncompresses to 1431655797 bytes (curiously, 1.33333336 GiB), which may well be above a reasonable anti-DoS limit of an anti-virus checking what's inside compressed files. In fact, that file could reasonably be blocked for being such a size bomb for end-user systems as well (compression ratio of over 1000). 3. URLs may be used for passing of somewhat large or problematic files like this. For postings to oss-security, file uploads to wiki pages under http://oss-security.openwall.org/wiki/code-reviews may be used. In fact, just before Tavis placed the file on an URL of his own, I started to set up this wiki page, which I intended to upload the file to: http://oss-security.openwall.org/wiki/code-reviews/openssl (maybe we should even complete this one, link to it from code-reviews, and start to use it for OpenSSL issues in particular). 4. FYI, the current message size limit for oss-security is 200 KB. This means that files of up to about 140 KB may be posted. If list members feel that this needs to be adjusted one way or the other, let me know. Please consider that we currently have about 1000 subscribers. 5. For the non-public distros and linux-distros lists, the limit is in fact much larger, so that these lists' PGP re-encryption feature may be used to distribute non-public testcases and the like to list members. However, I think it's preferable that multi-megabyte messages be announced to and actually requested by list members before being posted, unless the issue is very time-sensitive (every hour matters). Sometimes it makes more sense to send testcases to individual distros (just those who request this info) rather than to all at once anyway. Thanks, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.