OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Fwd: [e-lang] Protocol implementation errors

[ Lists Home | Date Index | Thread Index ]

Given how the OpenSSL hackers have fared with ASN.1, letting web
service hackers muck about with ASN.1 seems like a poor idea.

Definitely an issue that must be addressed by those advocating use
of ASN.1 as a binary encoding of the XML Infoset.


----------  Forwarded Message  ----------

Subject: [e-lang] Protocol implementation errors
Date: Thu, 2 Oct 2003 14:50:21 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
Cc: e-lang@mail.eros-os.org

>                 -- Security Alert Consensus --
>                       Number 039 (03.39)
>                  Thursday, October 2, 2003
>            Network Computing and the SANS Institute
>                      Powered by Neohapsis
>*** {03.39.004} Cross - OpenSSL ASN.1 parsing vulns
>OpenSSL versions 0.9.6j and 0.9.7b (as well as prior) contain multiple
>bugs in the parsing of ASN.1 data, leading to denials of services. The
>execution of arbitrary code is not yet confirmed, but it has not been
>ruled out.

This is the second significant problem I have seen in applications that use
ASN.1 data formats.  (The first was in a widely deployed implementation of
SNMP.)  Given that good, security conscience programmers have difficultly
getting ASN.1 parsing right, we should favor protocols that use easier to
parse data formats.

I think this leaves us with SSH.  Are there others?

Cheers - Bill

Bill Frantz        | "There's nothing so clear as   | Periwinkle
(408)356-8506      | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble     | Los Gatos, CA 95032

e-lang mailing list


The union of REST and capability-based security:


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS