Note, this comment only applies to the C++ library, not the Java library. Colm.
On Wed, Jan 19, 2022 at 3:39 PM BEEK Graham <[email protected]> wrote: > > Hi, > > > > This bug was raised 2 and a bit years ago and would seem quite important at > first glance, but there has been no activity. Would someone be able to > confirm whether it is as important as it sounds and whether a patch is > available or even where the check mentioned is located? > > > > This is the description: > > > > There's a bug in the Signature load routine that relates to a commented out > check that was failing the load when unknown content appeared at the end of a > Signature element. > > The code was unwisely changed to permit "non-conformant signatures", which is > an absolutely indefensible decision. This is how you get security bugs. > Non-conformant signatures can go right to hell. > > Adding an option to control this behavior is the absolute minimum we should > do, but the default should be strict, and the rest of the load methods should > be reviewed for any similar permissiveness. > > > > > > > > Many thanks, > Graham > > > > This message contains information that may be privileged or confidential and > is the property of the Capgemini Group. It is intended only for the person to > whom it is addressed. If you are not the intended recipient, you are not > authorized to read, print, retain, copy, disseminate, distribute, or use this > message or any part thereof. If you receive this message in error, please > notify the sender immediately and delete all copies of this message.
