[Numpy-discussion] How security holes happen
Sturla Molden
sturla.molden at gmail.com
Mon Mar 3 22:17:06 EST 2014
On 03/03/14 03:15, Charles R Harris wrote:
> This is from OS X 9
>
> if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
> goto fail;
> if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
> goto fail;
> goto fail;
> if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
> goto fail;
>
> Heh, maybe there is a reason for braces in even the simplest if statements.
It is quite evident in an editor with syntax highlighting. This is
almost too good to be a coincidental coding error. If there ever were a
deliberate backdoor attempt in an OS, it would be something like this.
At least Apple shows us their Darwin code. Nobody get to scrutinize
Microsoft's Windows code in public.
I also amazed that the bugfix was a 500 MB download.
Sturla
-------------- next part --------------
A non-text attachment was scrubbed...
Name: apple-goto-bug.png
Type: image/png
Size: 189574 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/numpy-discussion/attachments/20140304/dfd86af1/attachment.png>
More information about the NumPy-Discussion
mailing list