OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround?

John Nielsen lists at jnielsen.net
Thu Apr 10 22:58:11 UTC 2014 

Apparently OpenSSL intentionally subverts malloc, which is why the issue exists at all... See also (cribbed, I confess, from Slashdot):

http://article.gmane.org/gmane.os.openbsd.misc/211963
http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse

On Apr 8, 2014, at 12:00 PM, Oliver Brandmueller <ob at e-Gitt.NET> wrote:

> Hi,
> 
> till it's fixed in base (which I hope is very soon) (or you replace 
> openssl in base with the fixed version from ports or patch manually):
> 
> Would it probably help (with the performance impact in mind) to set 
> malloc option junk:true to lower the risk of leakting information?
> 
> manpage says:
> 
>       "opt.junk" (bool) r- [--enable-fill]
>           Junk filling enabled/disabled. If enabled, each byte of
>           uninitialized allocated memory will be initialized to 0xa5. All
>           deallocated memory will be initialized to 0x5a. This is intended
>           for debugging and will impact performance negatively. This option
>           is disabled by default unless --enable-debug is specified during
>           configuration, in which case it is enabled by default unless
>           running inside Valgrind[2].
> 
> as oppsosed to:
> 
>       "opt.zero" (bool) r- [--enable-fill]
>           Zero filling enabled/disabled. If enabled, each byte of
>           uninitialized allocated memory will be initialized to 0. Note that
>           this initialization only happens once for each byte, so realloc and
>           rallocm calls do not zero memory that was previously allocated.
>           This is intended for debugging and will impact performance
>           negatively. This option is disabled by default.
> 
> 
> Anyone with better insights could comment on that?
> 
> - Oliver
> 
> 
> -- 
> | Oliver Brandmueller          http://sysadm.in/         ob at sysadm.in |
> |                        Ich bin das Internet. Sowahr ich Gott helfe. |
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>

More information about the freebsd-stable mailing list