Theodore Baschak

Routing Guru. IPv6 Advocate. Operator of Hextet Systems (AS395089).

goto fail

Sun, 09 Mar 2014 09:51:22 -0500 » Security, Programming, SSL » Estimated read time: 1 min

When learning programming, beginners are always taught that goto’s are dangerous. They are dangerous because of their syntax. A missed colon or semi colon can mean a vastly different program flow. This has come up twice in the last month, one in Apple’s SSL/TLS signature verification (extra goto), and one in GnuTLS’s signature verification (missing goto).

Both are public, and patched now, but the ramifications of both are HUGE. Given that not everyone patches immediately or even automatically within a few days, there will be a large number of users affected by both of these bugs for years to come yet. Just like the unpatched Windows XP systems, there are also Linux and Mac users out there who avoid all patches, disable the automatic updates, and generally make themselves very vulnerable.