[Linux-aus] Post in ZDnet re: Heartbleed
Russell Coker
russell at coker.com.au
Tue Apr 15 00:04:57 EST 2014
On Mon, 14 Apr 2014 22:37:57 Kathy Reid wrote:
> There's a post on ZDnet that posits that OpenSSL benefitted little from
> being open source;
> http://www.zdnet.com/did-open-source-matter-for-heartbleed-7000028378/
> I strongly disagree with a lot of the points in the article, but am
> interested in the thoughts of others.
I don't think that the author of that article is qualified to comment on such
things.
> * If OpenSSL wasn't open source, the vulnerability may never have been found
> * The CVE was dealt with transparently and openly
> * The patch was freely available when the CVE was made public
> * The specific code vulnerability, now patched, will make other C codes
> more secure as people learn from the error
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534534
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534656
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534687
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534683
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534685
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534699
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534889
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534892
Above are some bugs I filed against OpenSSL 0.9.8 which were closed when the
new version was released. I don't know if any of them were discussed
upstream, I guess not.
http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
http://article.gmane.org/gmane.os.openbsd.misc/211963
The OpenSSL code is a mess, the above two URLs give you some background. I
didn't look for any more because I knew that the code was awful after having
tried to work on it. I filed the above Debian bugs while trying to work out
why my application would crash when I used two different libraries linked
against OpenSSL, each of the libraries worked fine on it's own but I got heap
corruption and a SEGV when I used both. Valgrind didn't help me much (only
enough to find 8 bugs which is nothing) and I gave up and forked off a child
process to use one of the libraries. There could be a security flaw in
OpenSSL related to that bug I found, but as long as it's impossible to run
Valgrind properly I can't find it.
I agree with Theo.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the linux-aus
mailing list