The Bash Bug And The OpenSSL Bug

On Tuesday evening, December 2, Freddy Martinez will give a talk, with code presentations, on two famous bugs in open-source C-language software: the bash bug, and the OpenSSL bug.

The bug in bash caused it to scan its environment for function definitions, and to continue executing the environment string even after the end of the function definition. Bash is, and always has been, open-source software, subject to inspection by anyone, and yet, amazingly, this bug was undetected for 20 years.

In the OpenSSL bug, a request for information followed by a buffer size would return as many bytes of information as were specified in the buffer size, even if it was more bytes of information than were in the requested information. This was arguably worse than the bash bug, because the bash bug affected only one program (albeit the single most frequently-invoked program in all of Unix), whereas the OpenSSL bug affected every program that was compiled with OpenSSL. This bug was also undetected for a long time, even though OpenSSL is open-source,and was produced by an organization with rigorous code-inspection standards.

After walking us thru the code, Freddy will try to address the fascinating question of how two such serious bugs in open-source software could have gone undetected for so long.

Freddy Martinez has been working in free, open-source software since 2007. He is involved in the Chicago Linux Users Group, Linux Certification and the Chicago Cryptoparty. Current interests are GSM technology, cryptography and security, and the Tor project. Freddy works professionally as a Linux system administrator.