In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says... > > In the URL you cited, the author wrote: > > > The vulnerabilities concerns SNMP's trap-handling and request-handling > > functions, and stem from problems in the reference code (probably) used > > inside the Abstract Syntax Notation (ASN.1) and Basic Encoding Rules (BER). > > and > > > ASN.1 is used inside a lot of other applications, such as OpenSSL. > > NSS uses its own ASN.1 encoder and decoder that were written at Netscape > from scratch (IINM), and (AFAIK) were not derived from any other > implementation. There is a "reference" implementation available from > other sources, but NSS doesn't use it. So, any bugs in that reference > implementation (or any other implementation) would probably not be in NSS. > If NSS's ASN.1 code had a similar bug to one in the reference implementation, > it would be coincidental. >
For the record OpenSSL's ASN1 isn't derived from a "reference" implementation either. The current version of its ASN1 code was also written more or less from scratch. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage.
