[Cryptech Tech] CVE-2015-5291: remote heap corruption in ARM mbed TLS / PolarSSL

Paul Selkirk paul at psgd.org
Tue Oct 20 03:49:07 UTC 2015


On 10/18/2015 10:19 AM, Randy Bush wrote:
> https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/

First, kudos to Guido for reviewing (and to everyone who reviews
open-source code), and kudos to the mbed TLS team for responding.

That said, we don't, and likely won't, use mbed TLS, which is quite a
separate project from mbed per se. (Although it looks like they've done
a lot of integration since the last time I looked at it, in May.)

In fact, we may not even end up using mbed per se. I'm keeping an open
mind, but I'm leaning to Fredrik's model of using the underlying CMSIS
libraries directly.

				paul


More information about the Tech mailing list