You are not logged in.
- Topics: Active | Unanswered
Pages: 1
Topic closed
#1 2008-05-27 12:35:20
- firewalker
- Member
- From: Hellas (Greece).
- Registered: 2006-06-05
- Posts: 412
Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
Debian, the Linux variant used largely by security professionals, and Ubuntu, the variant most commonly used by home users are both affected. Furthermore, Windows servers may be compromised as well if they are using keys generated on Linux systems.
Ironically the bug originated from an automated tool known as Valgrind which is supposed to reduce programming bugs which lead to security vulnerabilities. It found that a block memory was not being properly initialized, meaning that it would contain random information. The automated tool politely inserted code to clean up the block of memory making it all zeros. The only problem was that the system was intentionally using the block's unknown to get randomness to generate the keys. The library also gets randomness from mouse movements, keystroke timings, network packet arrival timings, and even microvariations in hard drive speed.
The Valgrind code caused errors, so the programmers simply commented out all the code, including the other methods of generating randomness on accident. Only the code which utilized the process ID, an integer ranging from 0 to 32,767, remained to provide randomness. It turns out the "fix" turned grievous error was not the work of the OpenSSL programmers themselves, but of the Debian team, known for their security expertise.
OpenSSL developer Ben Laurie raged, "Never fix a bug you don't understand! Had Debian [sent the bug to us] in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to 'add value' by getting in between the user of the software and its author."
Γίνε ρεαλιστής, μείνε ονειροπόλος ...
Offline
#2 2008-05-27 12:37:56
- Husio
- Member
- From: Europe
- Registered: 2005-12-04
- Posts: 359
- Website
Re: Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
That's really fresh news 
Offline
#3 2008-05-27 13:10:32
- .:B:.
- Forum Fellow
- Registered: 2006-11-26
- Posts: 5,818
Re: Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
The TS oughta be ashamed of him/herself 
This news is so old even Debian has fixed this bug already . Probably...
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
#4 2008-05-27 14:53:43
- Redroar
- Member
- Registered: 2008-03-17
- Posts: 200
Re: Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
Though I heard of this quite a while ago, yet another reason Arch keeping packages vanilla is a good thing.
Stop looking at my signature. It betrays your nature.
Offline
#5 2008-05-27 15:37:56
- tomk
- Forum Fellow
- From: Ireland
- Registered: 2004-07-21
- Posts: 9,604
Re: Huge Hole in Open Source Software Found, Leaves Millions Vulnerable
firewalker - this was discussed here and on our mailing lists at the time the vulnerability was discovered, approximately two weeks ago. It's always a good idea to search the forum before posting.
http://bbs.archlinux.org/viewtopic.php?id=48660
Thread closed.
Offline
Pages: 1
Topic closed