OT: looking for help remembering name/info about security bug

David Brownlee abs at absd.org
Tue Jan 11 09:20:21 CST 2022


On Tue, 11 Jan 2022 at 06:04, Stan Sieler via cctalk
<cctalk at classiccmp.org> wrote:
>
> Hi,
>
> I'm trying to remember the name (and some information about) a past
> security bug, for an article.
>
> Somewhere between 4 and 6 years ago (I think), there was a fairly major
> security bug reported (probably in Linux, or in SSH code, but
> something widely used).
>
> IIRC, the bug was a single line that called a function (possibly along the
> lines of CredentialsCheck), and may have involved a bit-wise or (or and)
> instead of a logical one.
>
> It may have been that either the routine wasn't getting called when it
> should, or that the programmer misinterpreted what the return value meant.
>
> Ring any bells?

Just on the offchangce the bell might be named "Apple" (it's a goto
fail rather than a bit-wise issue)

https://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/

David


More information about the cctalk mailing list