Comments on: MD_Update(&m,buf,j); /* purify complains */

By: Joshua Brown

Joshua Brown — Mon, 30 Aug 2010 16:04:27 +0000

i think that Daniel Craig is second to Sean Connery when playing James Bond*`-

By: Marc Randolph

Marc Randolph — Mon, 14 Jul 2008 15:08:39 +0000

After looking around for a while, I don’t see anybody pointing out the ultimate cause of the problem here: the lack of any meaningful comments in the original code. Sure, we can fault the person (actually group – because the change needed to be reviewed, RIGHT?) changing the code for not understanding something that has been there for a long time, but they should get less than 50% of the blame. The majority should go to the person that wrote the code originally and didn’t document the design.

By: Daniel Craig

Daniel Craig — Fri, 11 Jul 2008 03:59:49 +0000

Hi there, I was looking around for a while searching for rsa security and I happened upon this site and your post regarding arrington » MD_Update(&m,buf,j); /* purify complains */, I will definitely this to my rsa security bookmarks!

By: Colin

Colin — Tue, 20 May 2008 14:06:19 +0000

Here are more links and security announcements for those who are interested:
http://www.links.org/?p=328
http://www.securityfocus.com/brief/739?ref=rss
http://www.securityfocus.com/archive/1/491987
http://www.securityfocus.com/archive/1/491989
http://www.securityfocus.com/bid/29179
http://www.securityfocus.com/news/11518?ref=rss
http://blog.uncommonsensesecurity.com/2008/05/debian-predictable-prng-fiasco.html
http://www.zimbra.com/forums/announcements/18157-security-debian-based-openssl-issue.html
http://metasploit.com/users/hdm/tools/debian-openssl/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/?rev=141
http://rt.openssl.org/Ticket/Display.html?id=521&user=guest&pass=guest

By: Colin

Colin — Tue, 20 May 2008 13:59:04 +0000

Yea there were two places that were fixed in md_rand.c

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/?rev=141
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c

Both places commented out the line:
MD_Update(&m,buf,j);
in a similar fashion – Thanks!!

By: jhawthor

jhawthor — Mon, 19 May 2008 01:32:43 +0000

A small correction. The line of code you listed was not responsible for the security hole. There was another MD_Update(&m,buf,j); which was not enclosed by the PURIFY ifndef. The surprising thing is that the patch was unnecessary in the first place, compiling with -DPURIFY would have fixed valgrind’s complaints correctly without introducing a security hole.