A serious security bug... caused by no bounds checking.

Orvid King blah38621 at gmail.com
Mon Apr 7 17:29:04 PDT 2014


On Mon, 07 Apr 2014 18:28:02 -0500, w0rp <devw0rp at gmail.com> wrote:

> http://heartbleed.com/
>
> This bug has been getting around. The bug was caused by missing bounds  
> checking.
>
> I'm glad to be using a language with bounds checking.

I thought the standard process (especially for such a massive security  
vulnerability) for these types of issues was to have a significant span of  
time between when the fix is publish and when the details of the  
vulnerability are released, yet from what I can see, they've published  
extensive details on the vulnerability on the exact same day that the fix  
was released. I really hope this isn't actually the case. (and more so, I  
hope none of the US news media who have any idea what it means get ahold  
of it, because it means that almost nobody in the US will not know about  
the issue, and believe me when I say, there are a LOT of people out there  
who would do a lot of harm with such a thing)

 From what I understand, depending on the exact configuration of the sever,  
namely who's address space OpenSSL was loaded in, it would be possible to  
rip database passwords from the server's memory. Servers that act merely  
as a proxy to the internal servers (the configuration that most large  
websites would have, which offloads the (de/en)cryption to gateway nodes)  
wouldn't have as big of an issue, but it would still be an issue.


More information about the Digitalmars-d mailing list