Critical crypto bug?

Chat about Linux in general

Re: Critical crypto bug?

Postby Monsta on Thu Mar 06, 2014 1:04 pm

Both packages migrated to Testing a few hours ago.
Monsta
Level 8
Level 8
 
Posts: 2322
Joined: Fri Aug 19, 2011 3:46 am

Linux Mint is funded by ads and donations.
 

Re: Critical crypto bug?

Postby zerozero on Thu Mar 06, 2014 1:12 pm

Monsta wrote:[...] Though it doesn't make any difference to LMDE users. No one is gonna push such fixes into LMDE anyway [...]
ping Clem?
zerozero
Level 16
Level 16
 
Posts: 6467
Joined: Tue Jul 07, 2009 2:29 pm

Re: Critical crypto bug?

Postby Monsta on Thu Mar 06, 2014 1:23 pm

You can try, he said he'll be taking a week off after LMDE release :)

During the LMDE 201403 RC testing, when it became clear that Mint should provide a patched version of systemd to fix a nasty bug, I tried asking whether it would be acceptable to put the patched version straight into the UP repository instead of packages.linuxmint.com. Clem replied that he prefers working with the unmodified base... :?
Monsta
Level 8
Level 8
 
Posts: 2322
Joined: Fri Aug 19, 2011 3:46 am

Re: Critical crypto bug?

Postby kurotsugi on Thu Mar 06, 2014 1:34 pm

the case was different. not everyone is using systemd and the package isn't installed by default. furthermore, it doesn't have any security related stuffs. in our new case all user is affected by this issue and there's a huge security risk if we didn't fix it.
kurotsugi
Level 5
Level 5
 
Posts: 887
Joined: Fri Jan 25, 2013 3:54 am

Re: Critical crypto bug?

Postby peyrol on Thu Mar 06, 2014 6:44 pm

Wow! I suppose, if I hadn't posted, some one else would have, a few hours or minutes later.

Until the update is available, what do you recommend that the average user such as myself should do? Apparently this has been a bug for over six years. Are a few more days crucial?

Below is a quote from Howard Chu in February 2008.
The recent trouble in ITS#5361 prompted me to look into the GnuTLS code a little deeper. It turns out that their corresponding set_subject_alt_name() API only takes a char * pointer as input, without a corresponding length. As such, this API will only work for string-form alternative names, and will typically break with IP addresses and other alternatives.

Looking across more of their APIs, I see that the code makes liberal use of strlen and strcat, when it needs to be using counted-length data blobs everywhere. In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.

I strongly recommend that GnuTLS not be used. All of its APIs would need to be overhauled to correct its flaws and it's clear that the developers there are too naive and inexperienced to even understand that it's broken.

Would an upgrade to gnuTLS 3.2.12 truly address all these issues?
peyrol
Level 2
Level 2
 
Posts: 56
Joined: Sun Nov 25, 2012 1:51 am

Re: Critical crypto bug?

Postby Previous1 on Wed Mar 12, 2014 2:27 pm

An update can't fix what's broken by design (if such is the case). But what's the alternative.. OpenSSL? :roll:
Image
Tutorials | cynicaltux
Arch Linux i3wm, 64bit
User avatar
Previous1
Level 4
Level 4
 
Posts: 366
Joined: Sun Dec 01, 2013 11:48 am

Re: Critical crypto bug?

Postby macrohard on Wed Mar 12, 2014 9:29 pm

I know that GnuTLS was hyped up in the news, but I would look at it with this perspective. If it was a hole for that long, it would have been heavily exploited on Linux systems, and there is not much evidence so far that systems were compromised as a result.

Now that it is known, best security practices should be followed to apply the patches, and that developers fix issues in GnuTLS.
macrohard
Level 1
Level 1
 
Posts: 25
Joined: Mon Mar 10, 2014 6:44 pm

Linux Mint is funded by ads and donations.
 
Previous

Return to Chat about Linux

Who is online

Users browsing this forum: No registered users and 4 guests