Security FAIL

Published Mon 23 February 2009 12:11 (+1300)

People really do fail at C. From Joy Marie Forsythe via ACM RISKS:

NIST is currently holding a competition to choose a design for the SHA-3 algorithm. The reference implementations of a few of the contestants have bugs in them that could cause crashes, performance problems, or security problems if they are used in their current state. Based on our bug reports, some of those bugs have already been fixed.

Two of the projects (Blender and MD6) contained buffer overflows. The rest of the issues found were out-of-bounds reads, memory leaks and null dereferences. The code was good overall, but it's important to get these implementations right. They end up being the basis for future implementations, or used as is, and can be a factor is the outcome of the SHA-3 competition.

You get a further idea how ignorant people are of DoSs and security from the commenters claiming that it's not a problem to have security holes in the reference implementations – because they don't expect them to stick around.