Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 02 Nov 2022 23:43:00 +0100
From: Steffen Nurpmeso <steffen@...oden.eu>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSL X.509 Email Address 4-byte Buffer
 Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow
 (CVE-2022-3786)

Kurt H Maier wrote in
 <Y2K1yOB7748iGI2P@...r>:
 |On Wed, Nov 02, 2022 at 03:09:21PM +0100, Hanno Böck wrote:
 |> FWIW it only takes a basically trivial fuzz target on the affected
 |> function to find this bug with libfuzzer.
 |
 |I'm not sure what the value is of all this Monday-morning
 |quarterbacking, from 'basically trivial' fuzzing to code-quality
 |comparisons of hypothetical Rust ports.  OpenSSL's development process
 |has a bad rap, and there are definitely some easy wins to be had.

I never understood this way of seeing things.

Basically all the (non-military, at least) world was using it for
decades without giving back a kopek, and there were funny threads
on the ML, and basically that neat perl-based assembler production
system for even more speed-ups was a noticeable part of the
traffic.

So then heartbleed came and suddenly projects splitted off, but
luckily some funding was finally found for the OpenSSL project
itself, which made me cheer.

Since then more and more paid programmers are working there, and
have rewritten most of the code (i did not look as it is such
a detangled thing, like GNU C lib was twenty years ago, and until
you have found what you look for you have gray hair), added
myriads of tests, etc etc.

They also went to a public hoster and have thousands of issues as
more people look in the code as ever before (i would think, but
i was not looking at the community before ~2011).

I saw some odd naming issues, left-behind interfaces (that i like
a lot, mostly SSL_CONF_cmd() and <-> configuration files, but
unfortunately the road to sanity that this would allow was never
forcefully advertised; and this was somewhere before the 3.x
series was released, it could have been healed in the meantime).

It is not me alone that thinks that documentation misses
a straight path, i mostly live on "network security with OpenSSL"
that is a bit aged, so to say.
I personally have problems with the attitude too, the silent
openssl-dev@ i was on for a decade was replaced with a super
chatty thing that i left very quickly, i really hate their
announcements which link to some web site which basically says
a non-interactive sentence if you are lucky, so i always say
"thanks" and look upwards to the Olymp, basically.
Anyhow: my personal problem.

In short: where _so_ much work is done, and so many people work,
errors can surely happen.
I want to point out that other libraries which forked away often
simply copy code over from OpenSSL after that has done the work.
Not always, but it happens frequently.
I do not depreciate the fact, but it is one.

It is just that _i_ do not rub my very big balls (this does not
mean you, Kurt Maier) and point my finger at a project which is
the foundation for a very large part of _free_ and _open_ security
for the internet.

Donate for testing, maybe?  Dedicate time to write boring tests
maybe?  All you need to do is to become a member of that big thing
that does not like Iran, North Korea, Cuba, and i am a bit
misguided of who are the bad guys (evil states) at the moment,
it does not truly reflect my personal truth.  But so it is.

 |Posting "if they'd only adopted my pet practice" to oss-sec isn't fixing
 |anything in the OpenSSL project.  Please consider directing fuzzing
 |advice and PL theory directly to the project?  I agree there would be
 |benefit to this stuff, but dunking on them on unrelated lists isn't
 |getting the medicine to the patient.

Ah yes!
The number of tests is in fact driving me _insane_.  I track git..

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.