OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Fwd: [e-lang] Protocol implementation errors

[ Lists Home | Date Index | Thread Index ]

Rich Salz wrote,
> Miles Sabin wrote,
> > Blaming a design for the flaws of an aging, bloated and crufty
> > implementation is silly.
> Interestingly, the OpenSSL ASN.1 flaws seem to be in both the old
> code (from the SSLeay days), and the fairly new ASN.1 code recently
> released. /r$

Fair enough. But just how "new" is that new ASN.1 code? If it was 
completely original code with no borrowings from SSLeay and still 
reproduced the same or very similar bugs, and those bugs were 
intrinsically related to ASN.1 rather than being, eg., generic integer 
overflows, then that'd be good evidence that there was a general 
problem with ASN.1.

But looking at the recent NISCC advisory, that doesn't appear to be the 
case: the three flaws directly related to the ASN.1 implementation seem 
to be generic C-specific bugs which could just as easily affect an XML 
parser implemented in the same language.




News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS