Re: OpenSSL X.509 Email Address 4-byte Buffer Overflow (CVE-2022-3602), X.509 Email Address Variable Length Buffer Overflow (CVE-2022-3786)

[Tavis Ormandy <taviso () gmail com>]

On 2022-11-02, Kurt H Maier wrote:
> On Wed, Nov 02, 2022 at 03:09:21PM +0100, Hanno Böck wrote:
> > FWIW it only takes a basically trivial fuzz target on the affected
> > function to find this bug with libfuzzer.
>
> I'm not sure what the value is of all this Monday-morning
> quarterbacking.

Hanno and I have contributed months of programmer time on openssl
research and produced a ton of CRITICAL/HIGH issues over the years, not
to mention nss, gnutls, etc. What you're looking at isn't Monday-morning
quarterbacking on an unrelated list - this is active prolific opensource
security researchers discussing their opensource security work on the
opensource security mailing list :)

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso () sdf org
_\_V _( ) _( )  @taviso