[Pkg-openssl-devel] Valgrind patch leftovers
Luca BRUNO
lucab at debian.org
Fri Aug 30 10:24:41 UTC 2013
On Thu, 29 Aug 2013 19:12:34 +0200
Kurt Roeckx <kurt at roeckx.be> wrote:
> > >I'm not sure if it has been already discussed here, but I see that
> > >after the latest Valgrind related problem, not the whole patch has
> > >been dropped [0].
>
> Yes, it comes up from time to time. There is nothing wrong with
> the current patch.
Sorry for the disturb then, but I didn't find pointers in the archive
(my bad).
> The "proof-of-concept" just shows that after a fork you should
> make sure that you reseed the RNG and that OpenSSL doesn't
> do this automaticly for you. OpenSSL has some basic workaround
> for this by also mixing in the PID, but that's cleary not
> enough. You can hardly say that the PID has entropy.
>
> [...]
>
> There is nothing "expected" about this. The difference is that
> without the valgrind patch it adds some information that might
> or might not contain entropy.
That's true, and it may arguably be considered just a bug in the
library-using applications, not properly reseeding.
However, it looks to me that this patch is making such kind of bugs
more severe, as it is *always* removing a source that *might* not
contain entropy. I see many downstream projects patching these bugs, but
only after being bitten by it, and possibly with quite nefarious
end-user effects [0].
As such, even if I acknowledge that the bug is in end-user applications
violating the contract, I'd ask you to re-consider dropping this patch
as a precautionary measure (ie. better safe than sorry) and to decrease
the debian-specific patching delta.
[0] https://plus.google.com/106313804833283549032/posts/X1TvcxNhMWz
Cheers, Luca
--
.''`. | ~<[ Luca BRUNO ~ (kaeso) ]>~
: :' : | Email: lucab (AT) debian.org ~ Debian Developer
`. `'` | GPG Key ID: 0x3BFB9FB3 ~ Free Software supporter
`- | HAM-radio callsign: IZ1WGT ~ Networking sorcerer
More information about the Pkg-openssl-devel
mailing list