...
Accessing uninitialized variables generally leads to unexpected program behavior. In some cases these types of flaws may allow the execution of arbitrary code.
This http://www.kb.cert.org/vuls/id/925211 in the OpenSSL package for Debian Linux, and other distributions derived from Debian, is said to reference unitialized memory. One might say that unitialized memory caused the vulnerability, but not directly. The original OpenSSL code utilized initialized memory as an additional source of randomness to an already-randomly-generated key. This generated good keys, but caused the code-auditing tools Valgrind and Purify to issue warnings. Debian tried to fix the warnings with two changes. One actually eliminated eliminated the unitialized memory access, but the other weakened the randomness of the keys.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP33-C | high | unlikely | medium | P6 | L2 |
...