[gnutls-devel] fixes on 3.3.x gnutls branch, why not this one?
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Sun Mar 5 17:50:35 CET 2017
On Sun, 2017-03-05 at 16:20 +0100, Andreas Metzler wrote:
> Hello,
>
> is there a reason why this patch was cherrypicked for the 3.5.x
> branch but not for 3.3.x?
> e2b02861caea3cb9a173e6993640b4e7112bdb44
> pencdk: read_attribute: account buffer size
>
> That ensures that there is no read past the end of buffer.
>
> Resolves the oss-fuzz found bug:
> https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=391
Hi, I didn't consider it severe enough to backport it. My understanding
is that this is a read past the end of buffer, and cannot be exploited
for a denial of service or otherwise. Let me know if I'm wrong.
regards,
Nikos
More information about the Gnutls-devel
mailing list