Re: RSAREF bug issues (was Re: Looking for "lease based popper access")

["R. DuFresne" <dufresne () sysinfo com>]

On Wed, 15 Dec 1999, Bennett Todd wrote:

> 1999-12-13-12:50:43 R. DuFresne:
> > Has there been a patch released by the RSA folks to deal with it's recent
> > failing?  The impact of the RSA buffer overflow is that it affects all
> > applications built around it's core, this includes ssh, ssl enabled
> > webservers, etc..  Yep all those aplications built with RSA are now
> > exploitable, so, has a pacht been released that addresses this and allows
> > folks to patch RSAREF then rebuild all the applications that use it?
>
> I think this note deserves a few comments.
>
> First off, yes, there has been a patch posted, the OpenBSD folks at least have
> released a patch, and maybe other folks have too I don't know, and the RSADSI
> folks have officially given permission to use this patch. RSADSI didn't
> release a patch themselves; they aren't programmers, they're just lawyers
> doing their day job of trying to prevent people from using good encryption.
>
> Second, the bug in question only affects the RSAREF code if it can be invoked
> in a hostile fashion; sufficient parm checking in the caller can protect this
> bug against a remote exploit. So independantly the OpenSSH folks had fixed
> their sshd so that this bug didn't end up producing an exploit for them.


Additionally clarifying what I think I now understand here:

Means this is at least partially dependant upon the under<over?>lying
application.  The ssh1 exploit is a two in one punch, though broken
code...

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!