Re: Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)

[Kurt H Maier <khm () sciops net>]

On Thu, Nov 03, 2022 at 03:36:51PM -0000, Tavis Ormandy wrote:
> Hanno and I have contributed months of programmer time on openssl
> research and produced a ton of CRITICAL/HIGH issues over the years, not
> to mention nss, gnutls, etc. What you're looking at isn't Monday-morning
> quarterbacking on an unrelated list - this is active prolific opensource
> security researchers discussing their opensource security work on the
> opensource security mailing list :)

I'm aware of your and Hanno's work.  In the past it has not appeared
ex-post-facto in response to a thread where someone is trying to guess
which programming language theory would squash the bug.  That's why I'm
expressing confusion.  Feel free to ignore me.

khm