Theodore Baschak

BOFH. Open Source Guru. Founder/Operator of Hextet Systems, AS395089 and Network Architect for Daemon Defense Systems, AS55101.

goto fail

Sun, 09 Mar 2014 09:51:22 -0500 » Security, Programming, SSL

When learning programming, beginners are always taught that goto’s are dangerous. They are dangerous because of their syntax. A missed colon or semi colon can mean a vastly different program flow. This has come up twice in the last month, one in Apple’s SSL/TLS signature verification (extra goto), and one in GnuTLS’s signature verification (missing goto).

Both are public, and patched now, but the ramifications of both are HUGE. Given that not everyone patches immediately or even automatically within a few days, there will be a large number of users affected by both of these bugs for years to come yet. Just like the unpatched Windows XP systems, there are also Linux and Mac users out there who avoid all patches, disable the automatic updates, and generally make themselves very vulnerable.

© Theodore Baschak - https://github.com/tbaschak - Powered by Jekyll.
Powered by Les.net.
CiscoDude.net is a personal website. Opinions expressed are not necessarily those of his employer.