Lists Home |
Date Index |
Rich Salz wrote,
> Miles Sabin wrote,
> > Blaming a design for the flaws of an aging, bloated and crufty
> > implementation is silly.
> Interestingly, the OpenSSL ASN.1 flaws seem to be in both the old
> code (from the SSLeay days), and the fairly new ASN.1 code recently
> released. /r$
Fair enough. But just how "new" is that new ASN.1 code? If it was
completely original code with no borrowings from SSLeay and still
reproduced the same or very similar bugs, and those bugs were
intrinsically related to ASN.1 rather than being, eg., generic integer
overflows, then that'd be good evidence that there was a general
problem with ASN.1.
But looking at the recent NISCC advisory, that doesn't appear to be the
case: the three flaws directly related to the ASN.1 implementation seem
to be generic C-specific bugs which could just as easily affect an XML
parser implemented in the same language.