Hacker News new | past | comments | ask | show | jobs | submit login

If you are using the affected ASN.1 functions and you are feeding them attacker-controlled ASN.1 data (say, SSL certificates during user configuration), it is likely that attackers will be able to run their own code in your programs.

You are probably not using the affected functions.




Am I right in thinking that would involve taking advantage of the memory corruption to inject code by using an appropriately constructed cert?


Yes, but read 'agl's comments carefully: the systems impacted by this are going to tend to be ones that do special-case configuration of SSL certificates. We're not talking about browsers and (for the most part) web servers here.

A hypothetical future Github feature that allowed users to upload SSL certs in lieu of SSH keys might have to review their code to make sure they weren't using OpenSSL BIOs to read certs from (or just patch).

You should patch anyways. From now on, professional security assessments are going to doc this version of OpenSSL as a vulnerability.


Oh, I'm not using OpenSSL professionally - I'm pretty much just a curious amateur when it comes to computer security.

Good to know I've not got anything to worry about personally, though. You've explained it well.


Adam Langley's the one who did the real explaining on this thread; thank 'agl. :|




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: