A different proposal

Paul Hoffman paul.hoffman at vpnc.org
Thu Apr 10 22:28:06 UTC 2014 

On Apr 10, 2014, at 12:36 PM, ari edelkind <edelkind-list-freebsd-security at episec.com> wrote:

> On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
> 
>> Quite right. It is reasonable to assume that, given what we now know about
>> the memory allocation scheme in OpenSSL, that other bugs exist and will
>> only be found by exploits. Thus, it is reasonable to assume that there will
>> be future emergencies like Heartbleed related to bugs in OpenSSL.
>> 
> 
> I'm guessing you read a popular post by Theo de Raadt that's been going
> around.  Sorry, but OpenBSD's bastardized memory allocation scheme would
> not have solved this; OpenSSL's malloc implementation was not to blame
> here.  

I have heard from others, less interested in self-aggrandizement than Theo, that OpenSSL's malloc was significantly to blame. I'm not saying OpenBSD's is better, just that I have heard from multiple sources that OpenSSL malloc-wrapping both hides some bugs and makes them hard to find with automated tools.

> Amateurish failure to check the sanity of user-supplied input was to
> blame.  

Yes.

> Idiotic, error-prone protocol specifications, written by
> non-programmers, were to blame.  

Not in this case.

> OpenSSL's allocator, in this instance,
> worked fine -- even if it isn't the optimal choice for all operating
> systems.

Maybe; I'm certainly not in a position to say either way.

> If your reliance on OpenSSL bugs being fixed requires a fix at a rate
>> faster than what the FreeBSD community provides, then you should not rely
>> on the FreeBSD community.
> 
> 
> Or just make sure that all of your running services link to the OpenSSL
> library built from ports.  While i'm not exactly thrilled with the prospect
> of waiting a significant amount of time for a vulnerability in the base
> distribution to be officially patched, relying on the base system for
> something like that is a bit like taking a tank to the racetrack.

Updates to ports are inherently slower than patches from the OpenSSL team. My point is not that either ports or distribution are "too slow" for everyone: it is that if you are sure you need something faster than them, there is another option.

>> Install OpenSSL on your mission-critical systems from OpenSSL source, not
>> from FreeBSD ports or packages.
> 
> 
> This is a poor idea from a maintenance standpoint.  Firstly, the ports
> system was updated fairly quickly,

...but not necessarily quick enough for the people complaining about the response speed of the FreeBSD team...

> but aside from that, updating an
> existing port yourself to download and install the next version is usually
> a trivial task.  And you get package management for free.

Again: the whole point of this thread are people who apparently need more speed, demanding that someone be paid to make things faster for them.

--Paul Hoffman

More information about the freebsd-security mailing list