Re: More details show that someone seriously fucked up in debian. [Was: Re: Debian libssl security (OpenSSH safe?)]

Wed, 14 May 2008 04:59:46 -0700 

On Wed, May 14, 2008 at 08:47:38AM +0200, Otto Moerbeek wrote:

> On Wed, May 14, 2008 at 12:48:41AM +0200, chefren wrote:
>
> > On 5/13/08 7:08 PM, Marc Espie wrote:
> >
> >> More details show that someone seriously fucked up in debian.
> >
> > Well, this Kurt has seriously asked for details on the relevant
openssl-dev
> > list:
> >
> > http://marc.info/?l=openssl-dev&m=114651085826293&w=2
> >
> >
> > And see what "arrogant as usual" Ben Laurie states:
> >
> > http://www.links.org/?p=327
> >
> > "they should contribute their patches upstream to the package
maintainers.
> > Had Debian done this in this case, we (the OpenSSL Team) would have
fallen
> > about laughing, and once we had got our breath back, told them what a
> > terrible idea this was."
> >
> >
> > Kurt has clearly done so, and I know personally of another totally
ignored
> > patch from our company and I have heard in the past about OpenBSD people
> > trying to send patches to OpenSSL maintainers to no avail.
> >
> > The OpenSSL maintainers have proven not to read their mail, they aren't
> > interested in cleaning up their big mess.
> >
> >
> > Laurie also states "never fix a bug you dont understand" and this
OpenSSL
> > "hero" seems to forget that something that seems smart and OK now and
here
> > can be plain bad and ugly when looked at with some more distance or
> > knowledge.
> >
> > His "Adding uninitialised memory to it can do no harm and might do some
> > good, which is why we do it." is pure arrogant and shortsighted shit to
me.
> >
> > +++chefren
>
> Of course it is wrong to /depend/ on uninitialized mem to stir a
> random pool. Often "uninitialized" means lots of zeroes or predictable
> stack contents.
>
> But the actual Debian diff that was committed removes any stirring, it
> seems. From a quick view, no actual data from the passed in argument
> is being used to stir the pool anymore. Now that is the real problem.
> Because even if you have collected nice date with high entropy to seed
> the PRNG, it will be ignored.
>
> The openssl-dev list did not spot that, and indeed, that is
> disturbing. But Kurt never actually posted a diff there: so it's easy
> for the two two sided to be talking about different things.
>
> As for the arrogance: i'm pretty sure openssl proper contains more
> bugs. When I wrote our dc(1) (which uses the bignum lib from openssl)
> that occurred whan adding 0 to a bignum A, which resulted in A not
> being equal to the result. I was quite suprised that bug was never

Ehh, this part is missing something. What I meant to write:

As for the arrogance: i'm pretty sure openssl proper contains bugs.
When I wrote our dc(1) (which uses the bignum lib from openssl) I
stumbled upon a bug that occurred when adding 0 to a bignum A, which
resulted in A not being equal to the result. I was quite surprised that
bug was never

> found before. Probably crypto code only covers parts of the bignum
> functionality. The handing of that bug was adequate, though.
>
>       -Otto

Reply via email to