Re: CVE request: 3 flaws in libobby and libnet6

[Vasiliy Kulikov <segoon () openwall com>]

Armin,

On Sun, Oct 30, 2011 at 17:20 +0100, Armin Burgmeier wrote:
> I have fixed the issues 1+3 in git [1,2]. It would be great if you could
> confirm the patches to really fix the issues you raised.

Looks like they do.  FWIW, the counter overflow could be fixed by simply
using uint_64, which would overflow in 20 billion years :)


> As for the second issue, I do not think it is worth the effort to
> implement SSL certificate handling in obby. Both net6 and obby are
> replaced by libinfinity in the current development version of Gobby.
> libinfinity makes use of SSL certificates.

Some distros probably don't want to switch to the development version of
Gobby (which also uses a different dependency), but to fix the bugs of
their own stable versions.

As personally I am not a maintainer of a distro with the official Gobby
support, I don't care about maintaining old versions much, though.  I'm
happy with the fixes in the dev version.


> We would be pleased if you could check for similar flaws in libinfinity
> though I admit that it is much more code and probably more complicated
> to analyze.

OK, I'll probably look at libinfinity at my spare time as I did it with obby.

Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments