Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)

[Tavis Ormandy <taviso () gmail com>]

On 2022-11-01, Jeffrey Walton wrote:
> On Tue, Nov 1, 2022 at 3:55 PM Pavan Maddamsetti
> <pavan.maddamsetti () gmail com> wrote:
> > https://github.com/RustCrypto

I don't know rust, so serious question - if this same buggy punycode
routine had been written in rust, what would have happened?

- I assume you *could* write similar logic, but perhaps the argument is
  that idiomatic rust discourages it?
- Would rustc have been able to reason about the code well enough at
  compile time to error out?
- Just detect it at runtime and abort()?

If the answer is "error out", then I think that's a pretty convincing win.

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso () sdf org
_\_V _( ) _( )  @taviso