Patrick wrote: > > After reading Schneier's security newsletter, I learned that apparently the > recent vulnerabilty in SNMPv1 is not just limited to SNMP (see newletter at > http://www.counterpane.com/crypto-gram-0203.html). > > I wonder how the problems in ASN.1 affects NSS...Any ideas?
In the URL you cited, the author wrote: > The vulnerabilities concerns SNMP's trap-handling and request-handling > functions, and stem from problems in the reference code (probably) used > inside the Abstract Syntax Notation (ASN.1) and Basic Encoding Rules (BER). and > ASN.1 is used inside a lot of other applications, such as OpenSSL. NSS uses its own ASN.1 encoder and decoder that were written at Netscape from scratch (IINM), and (AFAIK) were not derived from any other implementation. There is a "reference" implementation available from other sources, but NSS doesn't use it. So, any bugs in that reference implementation (or any other implementation) would probably not be in NSS. If NSS's ASN.1 code had a similar bug to one in the reference implementation, it would be coincidental. NSS's ASN.1 encoder and decoder have "assertions" in them. These assertions force a crash (in debug builds of NSS only, not in "optimized" builds) in the ASN.1 encoder or decoder if something is obviously wrong, and are intended to be debugging aids to developers who are developing their own ASN.1 templates. You may have run into one of these in your recent testing with your own template. An assertion failure should not be confused with the type of vulnerability described in the URL cited above, IMO. -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
