taint.org: Justin Mason’s Weblog

Great article from LWN.net regarding the Debian OpenSSL vulnerability:

It is in the best interests of everyone, distributions, projects, and users, for changes made downstream to make their way back upstream. In order for that to work, there must be a commitment by downstream entities — typically distributions, but sometimes users — to push their changes upstream. By the same token, projects must actively encourage that kind of activity by helping patch proposals and proposers along. First and foremost, of course, it must be absolutely clear where such communications should take place.

Another recently reported security vulnerability also came about because of a lack of cooperation between the project and distributions. It is vital, especially for core system security packages like OpenSSH and OpenSSL, that upstream and downstream work very closely together. Any changes made in these packages need to be scrutinized carefully by the project team before being released as part of a distribution’s package. It is one thing to let some kind of ill-advised patch be made to a game or even an office application package that many use; SSH and SSL form the basis for many of the tools used to protect systems from attackers, so they need to be held to a higher standard.

+1.

Tags: debian, linux, lwn, openssl, packaging, security

If you’ve been following the Debian OpenSSL pRNG security debacle, you may have noticed that there’s a painful problem for people who’ve used a Debian or Ubuntu system in the process of buying a commercial SSL key — they are in a situation where those commercially-purchased keys need to be regenerated.

(When an SSL key is obtained from a commercial Certificate Authority, you first have to generate a Certificate Signing Request on your own machine, then send that to the CA, who extracts its contents and applies a signature to produce a valid CA-issued certificate.)

Things are looking up for these victims, though — some smart cookie at Debian came up with these instructions:

SSL Certificate Reissuance

If you paid good money to have a vulnerable key signed by a Certificate Authority (CA), chances are your CA can re-issue a certificate for free, provided all information in the CSR is identical to the original CSR. Create a new key with a non-vulnerable OpenSSL installation, re-create the CSR with the same information as your original (vulnerable) key’s CSR, and submit it to your CA according to their reissuance policy:

• GeoTrust: Here (Available throughout the lifetime of the certificate. Tucows/OpenSRS in this case, but the instructions are generic to any GeoTrust client.)
• Thawte: Here (Available throughout the lifetime of the certificate.)
• VeriSign: Unknown
• GoDaddy: Here (Only possible within 30 days of the initial order. GoDaddy calls the process “re-keying”, while they call the act of sending you the same signed certificate as your original order a “reissuance”.)
• ipsCA: Generate a new CSR as if you are purchasing a new certificate, follow through the procedure up until you get to the point where you are required to pay with your credit card. At that point contact support via their email and let them know that you are requesting a revocation and re-issue and include the ticket number of your new CSR request.
• CAcert: This is a cost free certification authority. Simply revoke your old certificates and add new ones. (The key has to be created on a fixed machine and ONLY the certification request has to be uploaded!) At the moment the certificate generation will take some time as it seems that many users are re issue there certificate.
• Digicert: Login to Your account to re-issue (free).

This is slightly incorrect, however (unfortunately for me). While GeoTrust claim to offer free reissuance of all its SSL certificates, they don’t really. Their low-cost RapidSSL certs require that you buy ‘reissue insurance’ for $20 to avail of this, if you need to reissue more than 7 days after the initial purchase. :( Wiki updated.

Update: RapidSSL certs are, indeed, now free to reissue! Use this URL and click through on the “buy” link for reissuance insurance — the price quoted will be $0. Wiki re-updated ;). (thanks to ServerTastic for the tip.)

Tags: ca, certificate-authority, certs, debian, geotrust, openssl, rapidssl, reissue, ssl

via Reddit, this Debian Security announcement:

‘Luciano Bello discovered that the random number generator in Debian’s openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable.

It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems (ie since 2006! –jm) is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised; the Digital Signature Algorithm relies on a secret random value used during signature generation.’

and, of course, here’s the Ubuntu Security Notice for the hole:

Who is affected

Systems which are running any of the following releases:

• Ubuntu 7.04 (Feisty)
• Ubuntu 7.10 (Gutsy)
• Ubuntu 8.04 LTS (Hardy)
• Ubuntu “Intrepid Ibex” (development): libssl <= 0.9.8g-8
• Debian 4.0 (etch) (see corresponding Debian security advisory)

and have openssh-server installed or have been used to create an OpenSSH key or X.509 (SSL) certificate. All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. This includes the automatically generated host keys used by OpenSSH, which are the basis for its server spoofing and man-in-the-middle protection.

It was apparently caused by this incorrect “fix” applied by the Debian maintainers to their package. One wonders why that fix never made it upstream.

Bad news….

Update: Ben Laurie tears into Debian for this:

What can we learn from this? Firstly, vendors should not be fixing problems (or, really, anything) in open source packages by patching them locally - they should contribute their patches upstream to the package maintainers. Had Debian done this in this case, we (the OpenSSL Team) would have fallen about laughing, and once we had got our breath back, told them what a terrible idea this was. But no, it seems that every vendor wants to “add value” by getting in between the user of the software and its author.

+1!

For what it’s worth, we in Apache SpamAssassin work closely with our Debian packaging team, tracking the debbugs traffic for the spamassassin package, and one of the Debian packagers is even on the SpamAssassin PMC. So that’s one way to reduce the risk of upstream-vs-package fork bugs like this, since we’d have spotted that change going in, and nixed it before it caused this failure.

Here’s a question: should the OpenSSL dev team have monitored the bug traffic for Debian and the other packagers? Do upstream developers have a duty to monitor downstream changes too?

This comment puts it a little strongly, but is generally on the money in this regard:

the important part for OpenSSL is to find a way to escape the blame for their fuck-up. They failed to publish the correct contact address for such important questions regarding OpenSSL. Branden (another commenter –jm) noted that the mail address mentioned by Ben is not documented anywhere. It is OpenSSL’s responsibility that they allowed the misuse of openssl-dev for offtopic questions and then silently moving the dev stuff to a secret other list nobody outside OpenSSL knew about.

I’m sure Debian is willing to take their fair share of the blame if OpenSSL finally admits that their mistake played a major role here as well. After all the Debian maintainer might have misrepresented the nature of his plans, but he gave warning signs and said he was unsure. But as it appears now all the people who might have noticed secretly left openssl-dev, the documented place for that kind of questions. This is hardly the fault of the maintainer.

Update 2: this Reddit comment explains the hole in good detail:

Valgrind was warning about unitialized data in the buffer passed into ssleay_rand_bytes, which was causing all kinds of problems using Valgrind. Now, instead of just fixing that one use, for some reason, the Debian maintainers decided to also comment out the entropy mixed in from the buffer passed into ssleay_rand_add. This is the very data that is supposed to be used to see the random number generator; this is the actual data that is being used to provide real randomness as a seed for the pseudo-random number generator. This means that pretty much all data generated by the random number generator from that point forward is trivially predictable. I have no idea why this line was commented out; perhaps someone, somewhere, was calling it with uninitialized data, though all of the uses I’ve found were with initialized data taken from an appropriate entropy pool.

So, any data generated by the pseudo-random number generator since this patch should be considered suspect. This includes any private keys generated using OpenSSH on affected Debian systems. It also includes the symmetric keys that are actually used for the bulk of the encryption.

A pretty major fuck-up, all told.

Update 3: Here’s a how-to page on wiki.debian.org put together by the folks from the #debian IRC channel. It has how-to information on testing your keys for vulnerability using a script called ‘dowkd.pl’, details of exactly what packages and keys are vulnerable, and instructions on how to regenerate keys in each of the (many) affected apps.

It notes this about Apache2 SSL keys:

According to folks in #debian-security, if you have generated an SSL key (normally the step just prior to generating the CSR, and then sending it off to your SSL certificate provider), then the certificate should be considered vulnerable.

So, bad news — SSL keys will need to be regenerated. Add ‘costly’ to the list of downsides. (Yet another update: this hasn’t turned out quite that badly after all — many CAs are now offering free reissuance of affected certs.)

Looking at ‘dowkd.pl’, it gets even worse for ssh users. It appears the OpenSSH packages on affected Debian systems could only generate 1 of only 262148 distinct keypairs. Obviously, this is trivial to brute-force. With a little precomputation (which would only take 14 hours on a single desktop!), an attacker can generate all of those keypairs, and write a pretty competent SSH worm. :(

Update: voila, precomputed keypairs, and figures on the viability of remote brute-forcing the keyspace in 11 minutes.

Tags: debian, holes, openssh, openssl, security, ubuntu, vulnerabilities

Hardware: Slashdot: Nokia’s Linux Handheld. It’s to be called the Nokia 770 Internet Tablet, and runs on an open source development platform called Maemo.

This looks really nifty. ARM processor, 800×480 pixel resolution, GTK+, 2.6 kernel, wifi, 3 hours of active battery life, and a clever panning system to get around the clunkiness of scrollbars on a touchscreen.

I note particularly that they seem to have planned to include an RSS reader based on Liferea.

The Maemo site looks interesting, in that it’s clearly a bunch of switched-on, open-source-comprehending developers who set it up; it’s built using Apache Forrest, they use Bugzilla for issue tracking, Mailman for lists, the terms of use for user contributions explicitly call out OSI-approved licenses as a requirement, there’s plentiful references to Debian’s apt as the preferred means of installing developer platform software, and Maemo apps are distributed as Debian packages.

There’s clearly been quite a lot of work going on behind the scenes. There’s already some third-party apps out there, such as those on INdT’s Maemo apps page, and the the SDK tutorial contains copious detail, suggesting it’s been seeing some use.

That SDK tutorial is full of tantalizing glimpses into Maemo’s operation.

It all looks very promising, and nicely hackable! I’m looking forward to a closer look at one of these. It’s especially good to see such a solid comprehension of the open source model by such a major company. (If only they could have a word with their patents department ;)

Update: They’ve ported WebCore to GTK+. Mobile Gazette has more info, too, including this worrying line:

And although Nokia hold several patents for (the Maemo development platform), they intent to open up access to their intellectual property to aid development.

(My emphasis.) That line is not encouraging, seeing as it seems to be a pretty typical cross-compilation platform as seen in embedded systems development. But hey, let’s see the patents first.

Tags: debian, development, gtk, hardware, maemo, nokia, platform, sdk, source, tutorial, use

Web: What’s the link between Debian Linux and Dueling Banjos? Any ideas? No? Well, according to Debian Weekly News of September 16th, 2003, it’s become what’s called a Google-flop:

No Dueling Banjos from Debian. Some of the most bizarre mails on debian-devel over the years have been repeated requests by various people for the sheet music for dueling banjos. Several list subscribers have been eager to assist the posters in their search. Jim Penny called this the Dueling Banjo Effect and explained that this has become a self-perpetuating Google-flop. People use Google which points them to Debian to get this sheet music, and the act of asking reinforces Google’s notion that Debian is a good place to get the music.

(thanks to Rick Moen for pointing this out on the ILUG list.)

Tags: banjos, debian, dueling, google, google-flop, link, linux, list, music, sheet, web

Bits: BarbieOS, a cutdown version of Debian from Mattel. Really. ‘BarbieOS 1.0 is the result of almost a year’s worth of marketing research into what pre-adolescent girls want in a mobile Linux solution aimed at being a desktop replacement.’ (via Ben)

Great site — also has US.BLAST.D Worm Wreaks Havoc on US Post Office, Mail Delivery Halted (’Until a patch can be created by Microsoft and deployed by the MCSEs who maintain the nation’s critical infrastructure, President Bush has urged all Americans to lock in a safe or a drawer all of their pens, pencils, stamps, white paper and envelopes so that they cannot be exploited by the virus and used to write out more copies of itself.’

– and An Open Letter from RIAA President Hillary Rosen to Music Pirates Everywhere (’Currently an RIAA-backed online service known as Pressplay allows users to subscribe for $18.95 a month to a small library of popular works and listen to them via half-quality audio streams if they have broadband connections. Users may download 10 songs a month to burn to CDs if they wish. Pressplay exclusively supports the Windows Media Audio format, and therefore each song benefits from active scripting support, expiration dates, copy protection and proven Microsoft security. With embedded scripts, each song can also enhance the user experience by opening web pages featuring more music they might like to buy. After only 8 months online and a strategic partnership with AOL, Pressplay currently boasts more than 100 subscribers and is growing every day.’)

Spam: Bayesian comment filter for Movable Type, nifty. Pity it’s still using the Paul Graham method, which is not so hot. (thx Antoin!)

Tags: barbieos, bits, cutdown, debian, microsoft, month, music, online, pressplay, song, version

Adequacy.org: Is Your Son a Computer Hacker?:

Is your son obsessed with Lunix?

BSD, Lunix, Debian and Mandrake are all versions of an illegal hacker operation system, invented by a Soviet computer hacker named Linyos Torovoltos, before the Russians lost the Cold War.

Adequacy.org is pretty funny… but they really need to sort out some kind of comment voting system. They have some seriously humor-deficient readers.

Tags: adequacy, bsd, computer, debian, hacker, lunix, mandrake, org, son, system