Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 24 Apr 2012 19:12:52 +0400
From: Solar Designer <>
Cc: Tavis Ormandy <>
Subject: Re: OpenSSL ASN1 BIO vulnerability (CVE-2012-2110)

All -

On Tue, Apr 24, 2012 at 04:31:51PM +0200, Tavis Ormandy wrote:
> Oops, indeed I didn't test with the 0.9.x build. I had tried (and
> failed) to mail it to openssl-security, but their MTA rejected it,
> so just skipped it as the 1.0.0 patch seemed correct.
> At the risk of being flamed for my progressive views on email size,
> please turn up the limits for security aliases! :-)

This is getting a bit off-topic indeed, but here are a few points:

1. Yes, I agree that private security contact addresses should be more
liberal in what they accept (as compared to mailing lists with larger
numbers of subscribers).  This is why, for example, Tavis' message with
the attached 1.3 MB file was delivered to me just fine, but did not make
it through to oss-security.

2. Besides message size, also important is how the message may be
treated by anti-spam and anti-virus software (which may arguably be
unreasonable to use, especially in such cases, but may happen to be in
place on a mail gateway anyway).  openssl-1.0.1-testcase-32bit.crt.gz
uncompresses to 1431655797 bytes (curiously, 1.33333336 GiB), which may
well be above a reasonable anti-DoS limit of an anti-virus checking
what's inside compressed files.  In fact, that file could reasonably be
blocked for being such a size bomb for end-user systems as well
(compression ratio of over 1000).

3. URLs may be used for passing of somewhat large or problematic files
like this.  For postings to oss-security, file uploads to wiki pages
under may be used.
In fact, just before Tavis placed the file on an URL of his own, I
started to set up this wiki page, which I intended to upload the file to:
(maybe we should even complete this one, link to it from code-reviews,
and start to use it for OpenSSL issues in particular).

4. FYI, the current message size limit for oss-security is 200 KB.  This
means that files of up to about 140 KB may be posted.  If list members
feel that this needs to be adjusted one way or the other, let me know.
Please consider that we currently have about 1000 subscribers.

5. For the non-public distros and linux-distros lists, the limit is in
fact much larger, so that these lists' PGP re-encryption feature may be
used to distribute non-public testcases and the like to list members.
However, I think it's preferable that multi-megabyte messages be
announced to and actually requested by list members before being posted,
unless the issue is very time-sensitive (every hour matters).  Sometimes
it makes more sense to send testcases to individual distros (just those
who request this info) rather than to all at once anyway.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.