Comments on: MD_Update(&m,buf,j); /* purify complains */ http://colinharrington.net/blog/2008/05/md_update-purify-complains/ Technologist, Consultant, Software Engineer, Entrepreneur and Musician Mon, 23 Jan 2012 05:25:42 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Latesha Kimrey http://colinharrington.net/blog/2008/05/md_update-purify-complains/comment-page-1/#comment-4333 Latesha Kimrey Fri, 09 Dec 2011 22:32:37 +0000 http://colinharrington.net/blog/index.php/2008/05/17/md_update-purify-complains/#comment-4333 Thanks a ton for your time and effort to have put these issues together on this weblog. Janet and i also quite a lot appreciated your suggestions via your articles on certain things. I know that you have a variety of demands on your personal program hence the fact that you took all the time just like you did to guide people just like us by means of this post is also highly valued. Thanks a ton for your time and effort to have put these issues together on this weblog. Janet and i also quite a lot appreciated your suggestions via your articles on certain things. I know that you have a variety of demands on your personal program hence the fact that you took all the time just like you did to guide people just like us by means of this post is also highly valued.

]]> By: Marc Randolph http://colinharrington.net/blog/2008/05/md_update-purify-complains/comment-page-1/#comment-203 Marc Randolph Mon, 14 Jul 2008 15:08:39 +0000 http://colinharrington.net/blog/index.php/2008/05/17/md_update-purify-complains/#comment-203 After looking around for a while, I don't see anybody pointing out the ultimate cause of the problem here: the lack of any meaningful comments in the original code. Sure, we can fault the person (actually group - because the change needed to be reviewed, RIGHT?) changing the code for not understanding something that has been there for a long time, but they should get less than 50% of the blame. The majority should go to the person that wrote the code originally and didn't document the design. After looking around for a while, I don’t see anybody pointing out the ultimate cause of the problem here: the lack of any meaningful comments in the original code. Sure, we can fault the person (actually group – because the change needed to be reviewed, RIGHT?) changing the code for not understanding something that has been there for a long time, but they should get less than 50% of the blame. The majority should go to the person that wrote the code originally and didn’t document the design.

]]> By: Daniel Craig http://colinharrington.net/blog/2008/05/md_update-purify-complains/comment-page-1/#comment-176 Daniel Craig Fri, 11 Jul 2008 03:59:49 +0000 http://colinharrington.net/blog/index.php/2008/05/17/md_update-purify-complains/#comment-176 Hi there, I was looking around for a while searching for rsa security and I happened upon this site and your post regarding arrington » MD_Update(&m,buf,j); /* purify complains */, I will definitely this to my rsa security bookmarks! Hi there, I was looking around for a while searching for rsa security and I happened upon this site and your post regarding arrington » MD_Update(&m,buf,j); /* purify complains */, I will definitely this to my rsa security bookmarks!

]]> By: Colin http://colinharrington.net/blog/2008/05/md_update-purify-complains/comment-page-1/#comment-51 Colin Tue, 20 May 2008 14:06:19 +0000 http://colinharrington.net/blog/index.php/2008/05/17/md_update-purify-complains/#comment-51 Here are more links and security announcements for those who are interested: http://www.links.org/?p=328 http://www.securityfocus.com/brief/739?ref=rss http://www.securityfocus.com/archive/1/491987 http://www.securityfocus.com/archive/1/491989 http://www.securityfocus.com/bid/29179 http://www.securityfocus.com/news/11518?ref=rss http://blog.uncommonsensesecurity.com/2008/05/debian-predictable-prng-fiasco.html http://www.zimbra.com/forums/announcements/18157-security-debian-based-openssl-issue.html http://metasploit.com/users/hdm/tools/debian-openssl/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166 http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/?rev=141 http://rt.openssl.org/Ticket/Display.html?id=521&user=guest&pass=guest Here are more links and security announcements for those who are interested:
http://www.links.org/?p=328
http://www.securityfocus.com/brief/739?ref=rss
http://www.securityfocus.com/archive/1/491987
http://www.securityfocus.com/archive/1/491989
http://www.securityfocus.com/bid/29179
http://www.securityfocus.com/news/11518?ref=rss
http://blog.uncommonsensesecurity.com/2008/05/debian-predictable-prng-fiasco.html
http://www.zimbra.com/forums/announcements/18157-security-debian-based-openssl-issue.html
http://metasploit.com/users/hdm/tools/debian-openssl/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/?rev=141
http://rt.openssl.org/Ticket/Display.html?id=521&user=guest&pass=guest

]]> By: Colin http://colinharrington.net/blog/2008/05/md_update-purify-complains/comment-page-1/#comment-50 Colin Tue, 20 May 2008 13:59:04 +0000 http://colinharrington.net/blog/index.php/2008/05/17/md_update-purify-complains/#comment-50 Yea there were two places that were fixed in md_rand.c http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/?rev=141 http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c Both places commented out the line: MD_Update(&m,buf,j); in a similar fashion - Thanks!! Yea there were two places that were fixed in md_rand.c

http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/?rev=141
http://svn.debian.org/viewsvn/pkg-openssl/openssl/trunk/rand/md_rand.c?rev=141&view=diff&r1=141&r2=140&p1=openssl/trunk/rand/md_rand.c&p2=/openssl/trunk/rand/md_rand.c

Both places commented out the line:
MD_Update(&m,buf,j);
in a similar fashion – Thanks!!

]]> By: jhawthor http://colinharrington.net/blog/2008/05/md_update-purify-complains/comment-page-1/#comment-46 jhawthor Mon, 19 May 2008 01:32:43 +0000 http://colinharrington.net/blog/index.php/2008/05/17/md_update-purify-complains/#comment-46 A small correction. The line of code you listed was not responsible for the security hole. There was another MD_Update(&m,buf,j); which was not enclosed by the PURIFY ifndef. The surprising thing is that the patch was unnecessary in the first place, compiling with -DPURIFY would have fixed valgrind's complaints correctly without introducing a security hole. A small correction. The line of code you listed was not responsible for the security hole. There was another MD_Update(&m,buf,j); which was not enclosed by the PURIFY ifndef. The surprising thing is that the patch was unnecessary in the first place, compiling with -DPURIFY would have fixed valgrind’s complaints correctly without introducing a security hole.

]]>