Tech has plenty of holy wars — Windows vs Linux, emacs vs vi, and Perl vs Python, to name a few — and security has its own: vulnerability disclosure. At times it makes sense to publicly disclose a security vulnerability, but the recently revealed out-of-bounds read flaw in OpenSSL isn’t one of them.
Attackers can trigger the out-of-bounds read flaw in OpenSSL’s b2i_PVK_bio() function with a specially crafted private key, according to a post by Guido Vranken, a software engineer at Intelworks. That could lead to a heap corruption and potentially leak memory contents.
