A Rather Severe Debian/Ubuntu Security Problem

RThurmont · Post by **RThurmont** » 2008-05-13 01:01pm

This makes me glad I don't use them.

Seriously, what kind of idiot would remove a critical random number seeder from OpenSSL? More importantly, what does this say about the developers of Debian and Ubuntu? Both distributions maintain large security teams...you would rather think (and indeed hope) that packages like OpenSSL, and especially, changes to them, would be monitored and closely scrutinized. If this bug had slipped into a release and been corrected in, say, three weeks, IMO this wouldn't be as big a deal, but it disturbs me that ths has gone on since 2006. It makes me wonder how many people might well have been unknowingly pwned in the interim?

As an aside, I find Debian and Ubuntu exceeding OS X on my list of least favorite OSes. OS X may be slow, but at least it works, and as an added plus, it has prety graphics, and as far as I know, has never had such a mind-numbingly stupid vulnerability such as this one.

Perhaps I'm over-reacting, but the entirety of this situation seems absurd to me.

EDIT: As an aside, one thing that annoys me about my local linux user group, which does consist of some very nice people, is that it has what could be politely described as an "excessive prefernece for Debian-based distributions." Last year I watched one senior member of the group scare another member into migrating to Debian frum Mandriva, with some random lies about Mandriva's repository mirrors not being properly updated.

SECOND, MUCH LATER EDIT:

Link fixed...today is not my best day in terms of post accuracy...

Admiral Valdemar · Post by **Admiral Valdemar** » 2008-05-13 05:13pm

You are overreacting. This isn't even an Ubuntu issue, or a Debian one for that matter (if you read the site you linked to, you'd know), so says nothing about Ubuntu developers. The bug has also been fixed since the end of April, so quite why this thread was even made I don't know. It sounds like you have an axe to grind. I hate Apple for their pretentiousness and Microsoft for their ineptness. I don't go about making non-issue threads on that pet hate, though.

As for usability, I don't even need to touch that. I just need to look at the uptake of Ubuntu and how I've gotten total Linux virgins to use it to show me that "it just works" is there. As someone who started on a KDE distro (namely Mandriva 2005 SE), I can say I far prefer Ubuntu personally. There's a reason there are so many flavours and it's a good thing.

phongn · Post by **phongn** » 2008-05-13 05:28pm

Admiral Valdemar wrote:You are overreacting. This isn't even an Ubuntu issue, or a Debian one for that matter (if you read the site you linked to, you'd know), so says nothing about Ubuntu developers. The bug has also been fixed since the end of April, so quite why this thread was even made I don't know. It sounds like you have an axe to grind.

RThurmont always has an axe to grind, but he's right in this case. It is a serious issue, and it is a Debian one (which Ubuntu inherited). Every SSH key made in the last two years has to be regenerated now, and that such a bug was made does not speak well for their security team.

As for usability, I don't even need to touch that. I just need to look at the uptake of Ubuntu and how I've gotten total Linux virgins to use it to show me that "it just works" is there. As someone who started on a KDE distro (namely Mandriva 2005 SE), I can say I far prefer Ubuntu personally. There's a reason there are so many flavours and it's a good thing.

Unfortunately, Ubuntu 8.04 is ... not ready.

RThurmont · Post by **RThurmont** » 2008-05-13 07:05pm

It is most definitely a Debian problem, considering that it was a Debian developer who modified the code.

EDIT: Apparently, the developer freaked out about the proliferation of error messages Valgrind was causing, and commented out two lines of code, one of which caused this SSL/SSH breakage. I read this earlier today, but in the process of it sitting in the stagnant depths of my cold-infected head, it apparently became somewhat corrupt, I mistakenly posted a few moments ago that the dev's actions were due to a desire to improve performance. Thanks to Destructionator for reminding me...

Destructionator and I were discussing this this morning...basically, there are three disturbing aspects to this bug: that a Debian developer was dumb enough to cause it, that none of his immediate superiors/colleagues stopped him, and that the Debian and Ubuntu security teams failed to catch this bug for such a great length of time. It also IMO speaks to a some degree of blind acceptance of whatever Debian puts into Unstable on the part of the Ubuntu devs...

What ticks me off though is not only did this happen within Debian, but at the same time, I have acquaintances who are scaring other friends of mine who were using perfectly viable non-Debian based Linux systems into not using them, out of some random bullshit about repository availibility. There seems to be this extremely large, vocal pro-Debian contingent in the Linux community, and given that the importance this lends to Debian, for better or for worse, this kind of an oversight is shocking IMO.

phongn · Post by **phongn** » 2008-05-13 07:11pm

RThurmont wrote:It is most definitely a Debian problem, considering that it was a Debian developer who modified the code in such a way that caused this mess. From what I've read, apparently, performance of another app, valgrind, was being affected, and two lines of code were commented out, without the dev in question really understanding what he was doing. The result was that not only was valgrind performance enhanced, but OpenSSH and SSL were broken.

Er, no, you don't quite understand correctly. Valgrind is a program used to automatically analyze and profile code. In this case, it detected that one of the lines of code was using un-initialized memory. This was intentional and used in an attempt to increase the entropy of the input into the PRNG. Commenting out that line would've probably been unproblematic (and it's questionable how much improvement that line really gave, anyways).

The real problem is that the patch writer then commented out another similar line for the seed, effectively breaking the entire PRNG.

RThurmont · Post by **RThurmont** » 2008-05-13 07:13pm

Yeah yeah, Phongn, I got that, sorry about that.

Admiral Valdemar · Post by **Admiral Valdemar** » 2008-05-13 07:41pm

Okay, I must be missing something here, but does that OP link even refer to the issue at hand? Because I'm seemingly looking at something else.

On 8.04, it's no surprise that even freeware vendors release operating systems without all the bugs ironed out, but that is why my policy on all tech matters has been "fools rush in".