| |||||||||||||
Cryptographic weakness on Debian systemsCryptographic weakness on Debian systemsPosted May 13, 2008 17:01 UTC (Tue) by pharm (guest, #22305)In reply to: Cryptographic weakness on Debian systems by IkeTo Parent article: Cryptographic weakness on Debian systems
My thinking is that it might actually not be uninitialized data at all, but is instead the content handed over by a part of the interface for SSL random number pool that actually accept random data and add them to the pool, i.e., most of the "real" randomness available. Which makes perfect sense, except that I don't understand why purify & valgrind would complain about it in that case. Oh well. No doubt all will become clear eventually & I don't have time to chase down the logic right now...
(Log in to post comments)
Cryptographic weakness on Debian systems Posted May 13, 2008 17:19 UTC (Tue) by welinder (guest, #4699) [Link] Purify/Valgrind will complain if you read more than the initialized part. Still, whoever took out the entire initialization should not be trusted with security intensive code.
Cryptographic weakness on Debian systems Posted May 14, 2008 12:42 UTC (Wed) by dion (subscriber, #2764) [Link] That would be Kurt Roeckx: http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/r... http://alioth.debian.org/users/kroeckx/
Cryptographic weakness on Debian systems Posted May 14, 2008 13:01 UTC (Wed) by DeletedUser32991 ((unknown), #32991) [Link] Kurt did ask about it on the upstream list, too.
Cryptographic weakness on Debian systems Posted May 14, 2008 18:55 UTC (Wed) by dion (subscriber, #2764) [Link] Yes, that should ward off the tar+feathers. When even openssl developers can't tell that the change is catastrophic then he might be excused. This does illustrate why blindly fixing warnings is a dangerous and bad idea, though.
|
|||||||||||||