[Pkg-openssl-devel] Valgrind patch leftovers
Luca BRUNO
lucab at debian.org
Mon Aug 26 07:11:11 UTC 2013
[Please CC me, I'm not subscribed to the list]
Hi,
I'm not sure if it has been already discussed here, but I see that
after the latest Valgrind related problem, not the whole patch has been
dropped [0].
It looks like the remaining #if 0 may cause problems of
not-random-enough bits when a process is forking children and PID
re-use happens. There's a better explanation here [1], which shows that
several projects (Ruby and Postgres) are already working around this
and a recent IV re-use related to Bitcoin-on-Android seems to be caused
by a similar behavior.
I'm not sure if this was discussed after the CVE-2008-0166 incident,
but maybe it would be better to completely drop the patch. Any
rationale of why it has not been done?
I'm inclined to file a bug about that, but I'd like to hear your
comments before proceeding.
Cheers, Luca
[0] http://patch-tracker.debian.org/patch/series/view/openssl/1.0.1e-3/valgrind.patch
[1] http://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/
--
.''`. | ~<[ Luca BRUNO ~ (kaeso) ]>~
: :' : | Email: lucab (AT) debian.org ~ Debian Developer
`. `'` | GPG Key ID: 0x3BFB9FB3 ~ Free Software supporter
`- | HAM-radio callsign: IZ1WGT ~ Networking sorcerer
More information about the Pkg-openssl-devel
mailing list