Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140717175813.GR17402@brightrain.aerifal.cx>
Date: Thu, 17 Jul 2014 13:58:13 -0400
From: Rich Felker <dalias@...c.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: libressl before 2.0.2 under linux
 PRNG failure

On Wed, Jul 16, 2014 at 11:13:44AM +0200, Hanno Böck wrote:
> Hi,
> 
> This has made the news lately:
> https://www.agwa.name/blog/post/libressls_prng_is_unsafe_on_linux
> 
> Should get a CVE. Affected is portable libressl 2.0.0 and 2.0.1 on
> Linux. 2.0.2 has been released:
> https://marc.info/?l=openbsd-tech&m=140548206911600&w=2
> 
> Under certain conditions forking a process can create repeated random
> numbers.
> 
> LibreSSL 2.0.2 contains a workaround, although the reporter of this
> issue thinks this may not be the best approach.
> 
> Please assign CVE.

I'm skeptical of assigning a CVE for this. The case in which repeated
random numbers could happen is not a typical or even reasonably-safe
usage case. Fork without exec is already a risky usage pattern for
several reasons:

- In programs which use arbitrary libraries including some which may
  be internally multi-threaded, it may invoke undefined behavior.
  (Behavior is undefined if the forked child of a multi-threaded
  process calls any non-async-signal-safe function before a successful
  exec, per POSIX.)

- In general, it exposes the address space layout and all data from
  the parent (rather than just data the child actually needs) to the
  child, greatly increasing the risk of leaking this information.

The only typical usage case I'm aware of that involves SSL and fork
without exec is a service that forks a child for each connection. This
normally does not involve grandchild processes without exec, nor does
it involve the main service process exiting, which would be necessary
in order for the pid to be re-assigned. Also, it's likely that such
service processes run in their own process group, in which case it's
impossible for the pid to be re-assigned even if the main serice
process dies.

In addition, the versions of libressl that fixed this issue added new,
possibly worse issues at the same time. See:

http://port70.net/~nsz/47_arc4random.html

Rich

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.