Security News > 2022 > August > S3 Ep94: This sort of crypto (graphy), and the other sort of crypto (currency!) [Audio + Text]
DOUG. A critical Samba bug, yet another crypto theft, and Happy SysAdmin Day.
Moving on to something not so great: a memory mismanagement bug in GnuTLS. DUCK. Yes, I thought this was worth writing up on Naked Security, because when people think of open-source cryptography, they tend to think of OpenSSL. Because that's the one that everybody's heard of, and it's the one that's probably had the most publicity in recent years over bugs, because of Heartbleed.
Even if you weren't there at the time, you've probably heard of Heartbleed, which was a sort of data leakage and memory leakage bug in OpenSSL. It had been in the code for ages and nobody noticed.
That's generally regarded as an extremely bad idea, rather shabby from a security point of view but any code that does that won't be vulnerable to this bug, because it doesn't call the buggy code.
Of course, the bad news is, when bug fixes like this do come out, there's usually a slew of people who go looking at them, trying to analyse what went wrong, in the hope of rapidly understanding what they can do to exploit the bug against all those people who have been slow to patch.
During a recent code update, it seems that they fell into the same sort of hole that perhaps the Samba guys did with the bug we talked about in Samba.