User: Password:
|
|
Subscribe / Log in / New account

Debian vulnerability has widespread effects

Debian vulnerability has widespread effects

Posted May 15, 2008 2:23 UTC (Thu) by jamesh (guest, #1159)
Parent article: Debian vulnerability has widespread effects

If the OpenSSL guys want to continue using uninitialised buffers as a source of entropy, it
might be worth sprinkling a few calls to VALGRIND_MAKE_MEM_DEFINED() in the appropriate
locations.

It is a no-op when no running under Valgrind and should be fairly cheap.  If the overhead is
small enough, it'd be useful to include in release builds on systems that support Valgrind.
Not being able to run a memory debugger on critical infrastructure like OpenSSL (or on
applications that use it) is a serious problem.


(Log in to post comments)

Debian vulnerability has widespread effects

Posted May 15, 2008 4:41 UTC (Thu) by proski (subscriber, #104) [Link]

I would prefer that only inputs definitely not controlled by attackers are used, and I'm not sure it can be guaranteed that uninitialized data is not manipulated in some way. There are sources of entropy that are harder to subvert. I think it's better to have less entropy but avoid giving attackers another possibility for exploits.

You don't use enemy's rivets to build your battleships. It may be just little pieces of metal that get a very different shape when used, but never underestimate those who are determined to harm you.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds