LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Cryptographic weakness on Debian systems

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:12 UTC (Tue) by tialaramex (subscriber, #21167)
In reply to: Cryptographic weakness on Debian systems by IkeTo
Parent article: Cryptographic weakness on Debian systems 

It looks like someone found a screw sticking out, and having a hammer handy, decided to bash
it flat. As you'd expect in security software, the result was disastrous.

Something, somewhere, calls this function with potentially uninitialised data (or perhaps, a
dodgy piece of analysis software only thinks it is unintialised because it can't find the
initialiser). Maybe it's actually a test routine. Maybe it's one uninitialised byte caused by
an off-by-one error somewhere. Either way it's irrelevant to this function. Rather than find
and fix that minor mistake, someone with Debian checkin privileges "fixed" it by removing
critical code from this function, silencing the warning and disabling Debian's security.

I guess the Debian Security people will need to re-assess who gets to modify critical packages
like this. It's one thing to trust that someone isn't going to deliberately sabotage a package
(they could just as easily add malware to GNOME Games as to OpenSSL) and quite another to
trust that they know what they're doing modifying complicated software like this to try to
"fix" security problems.

(Log in to post comments)

Cryptographic weakness on Debian systems

Posted May 13, 2008 17:35 UTC (Tue) by IkeTo (subscriber, #2122) [Link] 

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=363516 if you wanna see the process that
creates the bug.

Cryptographic weakness on Debian systems

Posted May 13, 2008 22:10 UTC (Tue) by philh (subscriber, #14797) [Link]

... quite another to trust that they know what they're doing modifying complicated software like this to try to "fix" security problems.

Well, that would be fair comment if Kurt Roeckx (one of the Debian openssl maintainers) had taken it upon himself to make this change in isolation, but as you can see from this thread, the patch was mentioned to the openssl-dev list, without provoking negative comment, so it's difficult to know who one should be pointing fingers at.

Mistakes happen -- looking for someone to blame isn't overly productive at the best of times, and when it is based on false premises, not at all.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds