Re: [tlug] Debian OpenSSL critical security bug

["Hung Nguyen Vu" <vuhung16plus+shape@example.com>]

On Wed, May 14, 2008 at 7:52 AM, Josh Glover <jmglov@example.com> wrote:
> The lesson here is that distros should not add patches to upstream
> sources that made fundamental changes. Now to teach my fellow Gentoo
> developers that lesson... ;)
No, packagers really *should* work close with upstream projects.
The change is critical, not only fundamental.

An analysis[1] has shown that the code which is used as seed in RNG
has been modified because a it caused Valgrind's Purify dumps a warning!

<quote>
	MD_Update(&m,buf,j);
	[ .. ]
	MD_Update(&m,buf,j); /* purify complains */
[snip]
Removing this code has the side effect of crippling the seeding
process for the OpenSSL PRNG. Instead of mixing in random data for the
initial seed, the only "random" value that was used was the current
process ID. On the Linux platform, the default maximum process ID is
32,768, resulting in a very small number of seed values being used for
all PRNG operations.
</quote>

[1] http://metasploit.com/users/hdm/tools/debian-openssl/

-- 
Best Regards,
Nguyen Hung Vu ( Nguyễn Vũ Hưng )
vuhung16plus{remove}@example.com , YIM: vuhung16
Japan through an eye of a gaijin:
http://www.flickr.com/photos/vuhung/tags/fav/