Openssl advisory ?
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Thu Apr 9 22:02:09 UTC 2009
Mike, *, good day.
Mon, Apr 06, 2009 at 02:44:01PM -0400, Mike Tancsa wrote:
> Just wondering if this impacts FreeBSD's version in any significant way ?
>
> http://www.openssl.org/news/secadv_20090325.txt
DoS is probably the likiest item that will be visible: CMS is disabled
by-default in upstream version and isn't yet present in FreeBSD's
OpenSSL (checked 7-STABLE and 8-CURRENT) and the third issue is only
present on platforms where sizeof (void *) > sizeof (long). I guess
that there could be such platforms (and compilers) on FreeBSD that will
produce such result, but I can't name anything. I only know that M$'s
Visual Studio will produce sizeof(long) == 4 and sizeof(void *) == 8
on the 64-bit branch.
By the way, there is other. older OpenSSL issue that looks unpatched,
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/126446
Side-channel attacks are often hard to conduct and some special
curcumstances should hold, but when it is done properly, this could
yield very sound results, for example,
http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
http://www.openssl.org/news/secadv_20030317.txt
Perhaps the second issue could be patched as well? The patch touches
only Montgomery multiplication routine and should not interfere with
anything else, so it should be rather safe to fix this vulnerability
in terms of possible regressions.
--
Eygene
_ ___ _.--. #
\`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, / # while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / # -- FreeBSD Developers handbook
{_.-``-' {_/ #
More information about the freebsd-security
mailing list