Nate,<div>How do you ascertain that a given library is vulnerable? Just by code inspection and assume you understand the implications of the platform and surrounding code, or do you successfully exploit it to be certain?</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Fri, Jul 16, 2010 at 10:45 AM, Nate Lawson <span dir="ltr"><<a href="mailto:nate@rootlabs.com">nate@rootlabs.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">Breno de Medeiros wrote:<br>
> On Fri, Jul 16, 2010 at 08:02, Pádraic Brady <<a href="mailto:padraic.brady@yahoo.com">padraic.brady@yahoo.com</a>> wrote:<br>
>> I can only speak for PHP, but the function is also multiples slower than a<br>
>> native comparison from when I was implementing it last year. Not all that<br>
>> surprising given PHP is also built on C (to the point it practically copies<br>
>> functions) so it should resolve similarly.<br>
><br>
> The only fair comparison here is when the two inputs are equal.<br>
> Lengthening the time of computation when the inputs are different is<br>
> the goal of this fix.<br>
<br>
</div>Yes, that's what I was checking on.<br>
<div class="im"><br>
>> Just on implementations - have you notified these directly? Not all of them<br>
>> may be paying attention to this list since it's not necessarily<br>
>> implementation specific.<br>
<br>
</div>No, there are too many. We've also notified all OAuth, various web<br>
frameworks, and others not yet public. There are at least 30 known<br>
affected libraries and up to double that unknown. We can't review<br>
everything.<br>
<font color="#888888"><br>
--<br>
</font><div><div></div><div class="h5">Nate Lawson<br>
Root Labs :: <a href="http://www.rootlabs.com" target="_blank">www.rootlabs.com</a><br>
+1 (510) 595-9505 / (415) 305-5638 mobile<br>
Solving embedded security, kernel and crypto challenges<br>
<br>
</div></div></blockquote></div><br></div>