Announcement

Collapse
No announcement yet.

Libgcrypt/GnuPG Hit By Critical Security Problem Since 1998

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Libgcrypt/GnuPG Hit By Critical Security Problem Since 1998

    Phoronix: Libgcrypt/GnuPG Hit By Critical Security Problem Since 1998

    Werner Koch today publicly announced that Libgcrypt and GnuPG have a "critical security problem" with all versions released prior to today and it affects all platforms...

    http://www.phoronix.com/scan.php?pag...Security-Issue

  • #2
    Wonderful, an 18 year old vulnerability.

    All the open source eyes in the world, and not a single one managed to catch this one until today.

    Comment


    • #3
      Originally posted by Sonadow View Post
      Wonderful, an 18 year old vulnerability.

      All the open source eyes in the world, and not a single one managed to catch this one until today.

      "Many eyes makes all bugs shallow" isn't a promise that open source software is bug free, it's a statement that popular open source software due to many people working on it is going to tend to find and thus solve more bugs than proprietary code and thus be less buggy, again... not bug free

      Comment


      • #4
        Originally posted by Luke_Wolf View Post


        "Many eyes makes all bugs shallow" isn't a promise that open source software is bug free, it's a statement that popular open source software due to many people working on it is going to tend to find and thus solve more bugs than proprietary code and thus be less buggy, again... not bug free
        Quite.

        All the open source eyes in the world, and not a single one managed to catch this one until today.
        Furthermore, despite having no obvious serious ramifications, the imperfection in the pRNG has been caught... by independent parties... and fixed. How long does our wee troll suppose it would have taken them to notice it if it was in MS's Windows kernel, or some other obfuscated propitiatory code?!

        Sarcastic imbecile.

        Comment


        • #5
          Typo alert! Obviously that should have been proprietary! Hope no one wastes too much time pondering "propitiatory"!

          Effin auto"correct"

          Comment


          • #6
            Originally posted by Luke_Wolf View Post


            "Many eyes makes all bugs shallow" isn't a promise that open source software is bug free, it's a statement that popular open source software due to many people working on it is going to tend to find and thus solve more bugs than proprietary code and thus be less buggy, again... not bug free
            You could still combine open source with formal methods. It's only a problem for the lesser minds.

            Comment


            • #7
              Originally posted by Sonadow View Post
              Wonderful, an 18 year old vulnerability.

              All the open source eyes in the world, and not a single one managed to catch this one until today.
              The question is *why* wasn't it found? I took a short look at the patches (gnupg, libgcrypt) and could not figure out what was wrong with the old code (disclaimer: early morning, no tea yet). I'm really curious for the paper that describes the findings and hopefully it will describe how to bug was found.

              Comment


              • #8
                Originally posted by W.Irrkopf View Post

                The question is *why* wasn't it found? I took a short look at the patches (gnupg, libgcrypt) and could not figure out what was wrong with the old code (disclaimer: early morning, no tea yet). I'm really curious for the paper that describes the findings and hopefully it will describe how to bug was found.
                It sounds like a cryptography bug so it likely wouldn't be noticeable by us people who don't have backgrounds in that stuff.

                Comment


                • #9
                  Originally posted by vadix View Post
                  It sounds like a cryptography bug so it likely wouldn't be noticeable by us people who don't have backgrounds in that stuff.
                  Indeed. I doubt it would have been easy to spot even if the person was trained to do this kind of things. I mean, can you notice something like this by just looking at the code?

                  But I think this just tells how important it would be for any FOSS (and even more for any other software) that is to be properly analysed before using it in critical systems (thinking of banks and such) and not just trusting that it is used so much that there isn't any problems. I don't know if that is actually required.

                  Anyway I'd put FOSS before anything else, because of the independence from 3rd parties to provide support (which is, you can almost always buy support from someone else, if needed). Speaking of these FOSS cryptography things, I wonder how many of them have been analysed more than once by different organizations.

                  Comment


                  • #10
                    Originally posted by W.Irrkopf View Post

                    The question is *why* wasn't it found? I took a short look at the patches (gnupg, libgcrypt) and could not figure out what was wrong with the old code (disclaimer: early morning, no tea yet). I'm really curious for the paper that describes the findings and hopefully it will describe how to bug was found.
                    I like how they included whitespace fixes.

                    Comment

                    Working...
                    X