back to article Linux users at risk as ANOTHER critical GnuTLS bug found

The GNUtls woes continue, with another critical flaw discovered and patched after researchers worked out malicious servers could hijack users of the cryptographic library. Red Hat engineer Nikos Mavrogiannopoulos, who issued a patch for the flaw (CVE-2014-3466) Saturday, shortly after it was reported 28 May by Codenomicon …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Re: Open source was supposed to be secure

      ...but that's just it. People are looking. People are finding. People are fixing.

      Didn't you read the article? Or are you suggesting that all OSS should be perfect from the moment it's conceived? I think that's probably a bit optimistic! Certainly better but perfect is not a reasonable expectation of any software, I'm sorry to inform you.

      ...and yes, everyone knows X is an atrocity. That's why it's being replaced. If you're trying to imply that closed source is preferable then how many impartial, independent security researchers ar picking through MSFT's NT kernel's font rendering code, or auditing Bitlocker, at this moment... rather fewer than are reviewing GnuTLS I'd hazard a guess. How are we supposed to find all the decades old "0-days" in that crap which the miscreants are already exploiting and even trading among themselves?

      1. Anonymous Coward
        Anonymous Coward

        Re: Open source was supposed to be secure

        "Didn't you read the article? Or are you suggesting that all OSS should be perfect from the moment it's conceived? I think that's probably a bit optimistic! Certainly better but perfect is not a reasonable expectation of any software, I'm sorry to inform you."

        Then why do so many commentators here expect perfection from closed source? I think this epitomises my problem with open source, it's a laudable idea, but the freedom element extends to a freedom to be mediocre and the slackness to accept it purely because of positive bias.

      2. Stuart 22

        Re: Open source was supposed to be secure

        Found and fixed promptly on Linux. Now had MS used that code in XP would it have been fixed that fast, or indeed at all?

        The real question is not bad code but which system (closed or open) is more likely to encourage it and less able or willing to fix it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Open source was supposed to be secure

          My system updated itself today.

          That's a lot faster from exploit notification to fix than MS or Apple...

          1. h4rm0ny

            Re: Open source was supposed to be secure

            >>"That's a lot faster from exploit notification to fix than MS or Apple..."

            Wow. I love how you managed to turn a really complicated set of metrics and as broad a category as vulnerability into such a simple and accurate summation.

            Or I could be being sarcastic. Comparing patch times is complex. Here's a light attempt to do so: http://www.zdnet.com/linux-trailed-windows-in-patching-zero-days-in-2012-report-says-7000011326/

      3. Anonymous Coward
        Anonymous Coward

        Re: Open source was supposed to be secure

        >>...but that's just it. People are looking. People are finding. People are fixing.

        If it took two decades in one example and over two years in another example, it seems that people are not looking hard enough. Pehaps you should read the article. Hmm. All that time and all those "impartial, independent security researchers " looking at the code. Just fancy! As for perfect software: of course not. But securitz software should be a bit closer to that ideal, unless relying upon dishonest people not looking through the code, probably more carefully that the rest.

        If you got the software from a commercial company, for instance, such long term faults would not be tolerated. As for "fixing": after so long? What else is where? There are rather a lot of systems, that may be using this software. How are you going to get all of them patched in the absence of a consistent, generally used, automatic, update service?

        Redhat, by the way, is a commerical firm whose employees are professional and paid. All those amateurs seem to have failed your ideal.

        As for the

        1. Vic

          Re: Open source was supposed to be secure

          If you got the software from a commercial company, for instance, such long term faults would not be tolerated.

          You *what*?

          I've worked for quite a few closed-source companies that charge a significant amount for their code.

          Long-term issues are simply ignored until they can no longer be hidden. Do not believe that, just because you don't hear of them, massive security holes do not exist in closed-source code.

          Vic.

    2. frank ly

      @Oliver Jones Re: Open source was supposed to be secure

      I've upvoted you because I like your sarcastic cynicism (or is is cynical sarcasm?). After a year of running Linux at home I'm now a fan, but I'm not blindly in love with it.

      Open source wasn't 'supposed' to fix any and all security problems, it was intended to give people choice, enable them to make informed decisions and give freedom of action in their use of software. It does all that very well. As with all software products, unless you're a software wizard with lots of free time, your informed decisions are dependent on other people being wizards and there aren't enough of those to go around.

      1. h4rm0ny

        Re: @Oliver Jones Open source was supposed to be secure

        No, Open Source wasn't supposed to be magically more secure than Closed Software. It was supposed to mean that you could verify it yourself if you want and - assuming you're talking about what should more properly be called Libre software - it prevents vendor lock-in and gives surety about what happens if a project is abandoned (you can fork it).

        Well okay, that was the intent. I'll grant you that there is a zealot brigade that touted how "a thousand eyes" would make it inherently more secure than Closed Source software. But they were / are the same brigade that like to go "Micro$oft herrr herrr...XP herr herrr" I.e. closed minded OS bigots. The sort who'll argue until they're blue in the face that Secure Boot is worthless just because GNU/Linux doesn't take real advantage of it yet. But if that mob can be shut up about at least one major misconception they're pushing, it's all to the good.

        Libre Software has real advantages. It might not be magically free of bugs but you have more surety that it doesn't contain backdoors (for example) than Closed Source products. Can you know that MacAfee AV doesn't report back on your computer usage? No. Can you know that Apache doesn't? Not 100% but with much greater confidence. (Or conversely, you can have much greater confidence that Chrome does ;)

        Likewise, if MS drop support for Office tomorrow there's not a great deal you can do about that (other than sell all MS shares fast). But when Star Office is abandoned, you get Open Office and Libre Office.

        That's the point.

        1. This post has been deleted by its author

          1. h4rm0ny

            Re: @h4rm0ny

            >>Did you check your compiler, to make sure it didn't have a backdoor? If not, what makes you think a mere code audit of your source is enough to prevent Trojan code from being inserted?

            One - that would not undermine the point I made. Two, the source code for the compiler I use, since you ask, is here: GCC. And before you start asking about who compiles the compilers, the answer is everyone does and it's verified by a Hash. GCC is very widely used and hashes of legitimate binaries therefore reliable and easily checked. So your point is not only not a response to what I actually wrote, but wrong as well.

            >>"This particular security aspect of open source was blown to pieces by Ken Thompson nearly 30 years ago, when he demonstrated the addition of Trojan code using vetted, approved source code that contained NO TRACE of the Trojan code."

            If you're trying to make the point (as far as I can work out) that it is possible for someone to introduce a backdoor that isn't immediately noticeable as a backdoor then that's neither in dispute nor something anyone isn't aware of. But your argument is akin to saying a task massively more difficult than another is equivalent because both have a chance of success. Adding a backdoor to closed source is bordering on trivial. Adding one to Open Source that isn't detectable is extremely difficult and constrained to a much narrower range of circumstances. NSA sort of managed to do it with RSA in a way, with their fiddling about with random number generation. And that's an organization of extremely bright people with massive resource working in an area where very few people were qualified to understand the code with a code-base that wasn't publically reviewed. As I say: extremely difficult. To equate 100:000:1 odds with 2:1 odds by saying both scenarios can occur, shows extremely limited thinking. Not to mention being biased as a pre-requisite.

            >>"What is more, the USAF knew about this sort of thing 30 years ago - so you can bet that the NSA and GCHQ know about it today. There is probably a whole new layer of security exploits in Linux and open source software like OpenSSL, Apache, et cetera, that are based on backdoors in the GNU compiler. Simply hiring eyes to look at the source code won't help you find them."

            Hiring more people to inspect source code wont help find things wrong with the source code? At this point, you're descending into nonsense. Also your invocation of "probably" to make your argument is just a way of trying to escape having to support your argument. In effect, you're just stating an (ill-thought out) opinion.

    3. Sander van der Wal

      Re: Open source was supposed to be secure

      It was indeed. Open Source was claimed to be safe because everybody had already looked at the code and found nothing wrong. Note the past tense.

      Now we know that nobody looked, or only the three-letter agencies looked at said code. And wrote exploits for it.

      Now the other claim: everybody can fix it. This is partly true, everybody can run the patch and fix it in that sense. But almost nobody can look at the code, see what is wrong with it and create the patch. What everybody can do is look at the code.

      I must say, I love the economics ans sociologics of this. O.S was meant to make the world a better place, and in some parts it did. What it also did was make the world a worse place. The three letter agencies got free and easy access, and all they had to do was look at the code, find the bugs and do nothing about them. And lots of the really smart people who also wanted to make money out of that smartness started serving ads, gathering data and making money, instead of writing closed source and making money.

      1. Paul Crawford Silver badge

        Re: @Sander van der Wal

        "What it also did was make the world a worse place. The three letter agencies got free and easy access, and all they had to do was look at the code, find the bugs and do nothing about them."

        And how is this worse than closed source from US companies where the three letter agencies got access by one means or another, found the bugs and do nothing about them as they could be used for spying?

      2. Anonymous Coward
        Anonymous Coward

        Re: Open source was supposed to be secure

        The three letter agencies got free and easy access, and all they had to do was look at the code, find the bugs and do nothing about them.

        And somehow that's worse than the three letter agencies having the closed source companies add extra deliberately inserted bugs into their software?

      3. Anonymous Coward
        Anonymous Coward

        Re: Open source was supposed to be secure

        "Open Source was claimed to be safe because everybody had already looked at the code and found nothing wrong"

        Oh, you're just going to HAVE to provide a link to that one, I think. Assuming you can provide links to things that just happened in your head.

        1. Anonymous Coward
          Anonymous Coward

          @ Robert Long 1: Re: Open source was supposed to be secure

          Eric Raymond's claim in the Cathedral and the Bazarr that "given enough eyeballs, all bugs are shallow" is widely understood to at least imply that open source code should have less bugs, and therefore less security problems.

          This was once a far more widely held opinion than it is today, but you'd have to be fairly new to the game to suggest that the meme that open source is inherently safer because of all those eyeballs didn't exist.

          http://en.wikipedia.org/wiki/Linus%27s_Law

          Given that finding this particular bug is attributed to Codenomicon, it seems likely that the bug was actually tracked down as a result of the use of debugging tools, rather than by a straightforward code audit, so it gives no support to the the "many eyeballs" approach.

    4. Daniel Palmer

      Re: Open source was supposed to be secure

      @Oliver Jones

      >Please remind me, wasn't open source supposed to make huge

      >security problems like this a thing of the past,

      Were there headlines about security issues like heartbleed when the first BSD, GNU etc releases had just come out? I don't think so and I don't think many of the big advocates of opensource has ever said that stuff being opensource will make security issues go away. Most of the opensource licenses date from a time where MMUs weren't common.

      If anything opensource is about getting off of your ass and doing something instead of waiting for other people to do it for you. "You have the source, if you don't like it you fix it".

      1. DropBear
        Flame

        Re: Open source was supposed to be secure

        "You have the source, if you don't like it you fix it"

        ...and of course you're a whinging bastard if you don't do your own open heart surgery should the need arise - after all, don't they hurl any non-programmer baby off a cliff right at birth?!?

        1. Trevor_Pott Gold badge

          Re: Open source was supposed to be secure

          That would solve rather a lot of problems in short order...

        2. Daniel Palmer

          Re: Open source was supposed to be secure

          @DropBear

          If you can't do it yourself then pay someone to do it.

          1. DropBear
            WTF?

            Re: Open source was supposed to be secure

            If you can't do it yourself then pay someone to do it.

            To continue the analogy, I'm glad your medical insurance covers any procedure you might ever need. Now, as far as the rest of us 99% is concerned...

        3. Anonymous Coward
          Anonymous Coward

          Re: Open source was supposed to be secure

          If you're not a programmer, you can't judge the quality of the code. Only how well it works. Nobody expects a non surgeon to judge on the quality of the surgery, only to judge its results. The trick is, with surgery there is a direct relationship between the quality of the work and the results. Not so with code, because bad code can still perform its intended function. Exhibit A: tons of crappy Visual Basic and VBA runs everyday written by non-programmers and nobody complains about its quality, only that the results are ok.

          1. Rick Giles
            Joke

            Re: Open source was supposed to be secure

            Visual Basic is code?!?

            Stop! You're killin' me!

    5. Rich 2 Silver badge

      Open source - crap code

      It is an unfortunate truth but a lot (I'll not say "most" even though I think it is justified) open source code is, quite frankly crap. Oh yes, it works. And a lot of it works very well. But if you actually look at the code (and relatively very few people ever do), you will find 99% of the time that it is very badly written, often full of random "goto", "break", and "return" statements, virtually totally uncommented, and generally a very sloppy mess apparently written by someone without the first clue about software design. This all leads to code that, although in theory "anyone can look at and change if they want", in reality "it'll make your head spin trying to understand what the f*** is going on and you will eventually give up".

      I don't know why code quality is such a non-existent priority for many people, and I've definitely seen my fair share of it in the commercial world too, but it seems to be, and this contributes in a big way to why even really obvious bugs go unnoticed for years. The other reason is that nobody actually bothers to look.

      Of course, there are exceptions; there is open source code out there that is well written and understandable. But it is VERY few and far between.

      I will, of course, get modded down for this, but I question the justification for that; I firmly believe and stand by this assessment.

      1. Anonymous Coward
        Anonymous Coward

        Re: Open source - crap code

        Yes, you get modded down for your comment. Because if and when you see bad code that you're getting for free, if you are able to judge its badness and can fix it, you should submit a patch. Or if there is a missing feature, you can add it.

        Personally I've done this only a couple of times, the only times I've had to look at code because of a problem in the package I was using. The patches were accepted and the world -well, the code- was a little better.

        In the same vein, other people have submitted patched for my code and made it better.

        Where did you get this expectation of getting millions of lines of perfect code for free?

        Most of the time I look at open source code it is of very high quality. Perhaps because I peek mostly at popular packages (Firefox, Postgres, Linux kernel....) and it is true that the less popular something is, the more likely it is to contain crappy code. But if you find bad code on free software, and are qualified to judge it as bad, and are able to fix it, you should. Only by lots of people doing that the code can become so good as the one in, say, Postgres (which is of amazing clarity and quality and has been in the public for 20 years)

        1. Rich 2 Silver badge

          Re: Open source - crap code

          "...if and when you see bad code that you're getting for free, if you are able to judge its badness and can fix it, you should submit a patch"

          That should keep me busy for the next thousand years :-) It's rather difficult to submit a "patch" when (a) the code is incomprehensible in the first place and (b) the "patch" would consist of "delete all lines from 1 onwards and replace with this".

          "Where did you get this expectation of getting millions of lines of perfect code for free?"

          I never said I did. And just because it's free is no justification for it being crap. Do you think that if you're writing code commercially that you should do it properly, but if you're planning on giving it away for free that you are duty-bound to make a hash of it?

          And I can't comment on the Firefox or Postgresql codebase but I can say that some of the Linux kernel code is awful; especially some of the driver stuff.

          1. Anonymous Coward
            Anonymous Coward

            Re: Open source - crap code

            "That should keep me busy for the next thousand years :-)" mmmm.... I guess you're still in the "competent incompetent" stage of programming. Code more, read more code from others and in a few years you'll have a different perspective.

            And ultimately it is your decision. If you've read and understood a piece of code to the point of being able to rewrite it, then you have the option of... rewriting it. If you don't do it has to be because the code is possibly bad, but not bad enough for you to use it.

            And no, being free is no justification for being crap. In fact, being open is a good motivator for at least try to make it of decent quality, because your coding mistakes will be exposed to the world at large. But at least the price/quality ratio is unbeatable and you have the chance of improving it. Which is not possible if you don't have the code.

            Speaking of "commercial" does not make much sense because a large part of open source code is written by people getting paid to do it. Best to talk about "closed", where the quality is largely an unknown since you don't see the code. In that case, you're doomed and only able to judge results (performance, bugs, security) but not the code itself.

          2. Havin_it

            Re: Open source - crap code

            >That should keep me busy for the next thousand years :-@

            Well, that's up to you, isn't it? I dare say, given that it's apparently almost all awful, you might want to prioritise in favour of that which offends you most. It might be a more productive use of your free time than whinging on internet forums, anyway.

            >(a) the code is incomprehensible in the first place

            And calling the author out on that is something you're obviously too much of a shrinking violet to contemplate...

            >(b) the "patch" would consist of "delete all lines from 1 onwards and replace with this".

            Suffix with "...and here's why:" and the only potential hurdle is dev ego. (OK I'll give you that one)

            >And just because it's free is no justification for it being crap.

            It's only you who are asking for justification. It is out there in the public domain precisely so people like you, who can see that it's crap, and see why it's crap, can help make it less crap. Anything beyond that is your own inference. Personally I think you royally suck as an armchair critic, but you haven't mentioned whether you're accepting revisions to your posts. What's your licence for that?

        2. Anonymous Coward
          Anonymous Coward

          Re: Open source - crap code

          "Because if and when you see bad code that you're getting for free, if you are able to judge its badness and can fix it, you should submit a patch. Or if there is a missing feature, you can add it."

          So I take it that every morning on your way to work, when you see a pot hole you stop and fill it in, when you see the bushes covering a traffic sign you stop and cut the foliage back etc. and yet still manage to arrive at work on time...

          1. Daniel Palmer

            Re: Open source - crap code

            >So I take it that every morning on your way to work,

            >when you see a pot hole you stop and fill it in,

            You pay taxes for someone to maintain the roads for you.

            Opensource licenses usually give you rights to do whatever you like with the code on the agreement that said code comes with absolutely no warranty or assurance that it's fit for purpose. That's why some people like to use opensource but pay someone like RedHat to maintain it and support them when they need support. The guy that found this bug is a RedHat guy isn't he? So someone at RedHat found a bug, it got fixed and an announcement was made so everyone doesn't ignore the update.... so the only difference to closed source here is that the issue and the fix have been made public and even people that don't pay RedHat benefit.

            1. Anonymous Coward
              Anonymous Coward

              Re: Open source - crap code @Daniel Palmer

              >You pay taxes for someone to maintain the roads for you.

              There are many who don't pay taxes and so use the (non-toll) roads for free. this is exactly the same situation as Open Source where a few pay the RedHat 'tax'/fee but the results are available to all.

          2. James Hughes 1

            Re: Open source - crap code

            Almost all code, open source, closed source, alien source, is pretty badly written - difficult to read and spot issues.

            No point in singling out the open source stuff as a target because of that- but at least you can see it's not great, and make an informed decision to use it, fix it, or use something else.

            There seems to be a large number of commentors above who fail to understand OSS. It's free, and yet they expect the sort of support you only find with paid for closed source software. I'm afraid that's not the way it works, but in the same vein, you don't have to use it. You can usually find closed source paid for software that may well be a better option because you need support.

            It's a pretty simply choice at the end of the day. Chose one of the following...(other options may be available)

            a) Write the software you need yourself

            b) Buy in a package that does what you need and get support.

            c) Use free OSS software, that may well have issues and has little support and live with it.

            d) Use free OSS software, but inspect and fix any issues that affect you yourself.

            e) Use free OSS software, but inspect and pay to have any issues that affect you fixed.

            You really need to do the costings and see which one is best for you. For me it's c) with occasional d)

        3. Anonymous Coward
          Anonymous Coward

          Re: Open source - crap code

          Being free is no excuse for being of bad design, implementation or requiring patching unless it is intended for just the author's use and will not be spread around At that point, I expect the Linux bods who make up the approval and integration staff, whether Mr. Torvalds or the distributors of CleverLinux Ltd, to review and fail the code before it gets into a public distribution, where the vast majority will just use it, unaware and without being programmers or software professionals of any sort nor even, generally, at all interested in software beyond its claimed functionality read email, play a film or read a website.

          The failure to realise this is one of the biggest blocks holding up the wider, public use of Linux and the source of good maintenance and distribution contract income to Redhat, Suse and others.

      2. Anonymous Coward
        Anonymous Coward

        Re: Open source - crap code

        "it'll make your head spin trying to understand what the f*** is going on and you will eventually give up".

        It's pretty easy to demonstrate the wrongness of that statement: The Gnu/Linux kernel is very well documented (you can obtain it in easily digestible book form) and is used as a reference for best practice. If it wasn't trivially simple to work on and build/test, then it wouldn't have gained the traction it has. (We would all be running Hurd, Minix or BSD now.)

        1. Anonymous Coward
          Anonymous Coward

          Re: Open source - crap code

          Reading an "easily digestible book form"? Excellent way of spotting faults in code, absolutely.

          Also, this assumes that the genius who wrote the book understood, fully, the design and implementation.

          You lot hang yourselves again and again with such supercilious twaddle. By the way, a lot of us are running BSD (one of the *BSD releases or OSX - though they tend to run the same shell layer programmes).

      3. Tom 38 Silver badge

        Re: Open source - crap code

        Rich, what you don't realise is that most code in the world isn't just crap, its real crap. Code that no-one ever has to show to anyone is the crappest code of all.

        The point of OSS is that you, yes YOU, can look at the code and determine if it is crap or not. GnuTLS has long been known to be crap.

      4. Martin Gregorie Silver badge

        Re: Open source - crap code

        It is an unfortunate truth but a lot (I'll not say "most" even though I think it is justified) open source code is, quite frankly crap.

        Thats just another consequence of Sturgeon's Law which stated that 90% of everything is utter crap. Think about it. Theodore Sturgeon, an SF author, was spot on.

        I've seen bad OSS code, but at least I could look at it and see that it was bad. However, I've seen much worse closed source commercial code, which carries the extra benefit that you can't see how bad it is untill you've paid good money for that dubious priviledge.

        How about a COBOL accounting system where all the programs were written to the same appalling standard. All the paragraph names in every procedure division were numeric though not in sequence. Section names? you must be kidding. No sections used. All the data names in every data division were of the form MT01 starting from the name of the first magnetic tape file and incrementing until the last field in the last record in the last mag tape file was reached. Same for cards (CR01,...), printed output (LP01,....) and working storage (WS01,...). Oh yeah, the code was totally devoid of comments outside the identification division. I only got to see this crap because the company I worked for had paid good money for it. It was so bad that it was unmaintainable and almost impossible to use so we junked it and wrote our own accounting package. Doing that was easier, took less time and saved us money on maintenance because we wrote it to be easily readable and well enough commented to be understandable even if the design documentation got lost or out of date - the norm in those days.

      5. h4rm0ny

        Re: Open source - crap code

        >>"Of course, there are exceptions; there is open source code out there that is well written and understandable. But it is VERY few and far between."

        I don't disagree with any of your points. But I do wonder why you limit them to only Open Source software instead of all of it (ime).

      6. Rick Giles
        FAIL

        Re: Open source - crap code

        "It is an unfortunate truth but a lot (I'll not say "most" even though I think it is justified) open source code is, quite frankly crap. Oh yes, it works. And a lot of it works very well. But if you actually look at the code..."

        So what's MicroSloths excuse other than you can't look at most of the code?

      7. Nuke
        Holmes

        @Rich 2 - Re: Open source - crap code

        Wrote :- ".. if you actually look at [Open Source] code ... you will find 99% of the time that it is very badly written"

        Be kind (and support your point) would you please by posting a copy of, say, Microsoft's source for Win8 or Adobe's for Photoshop, so we can all see how to code properly.

  2. Androgynous Crackwhore

    Luckily (!!!!!??!???!??!!!!ONE!!!!) TOR uses OpenSSL.

    (Wouldn't have thought I'd be saying THAT when I got up this morning)

  3. Anonymous Coward
    Anonymous Coward

    Microsoft et al are Linux's best friend...

    ... spending vast amounts of resources trying to find, highlight & report bugs in the Open Source software, thus improving its quality.

    It's a shame that the favour cannot be reciprocated to the buggy, Closed-source software that they produce.

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft et al are Linux's best friend...

      trying to find & exploit bugs.

      fixed it...

      1. Anonymous Coward
        Anonymous Coward

        Re: Of Course

        This is a Microsoft issue! Bet they're to blame if your fucking corn flakes are soggy.

        Why don't you stop trolling and go and fix some security bugs in some open source software?

    2. Anonymous Coward
      Anonymous Coward

      Re: Microsoft et al are Linux's best friend...

      Given that this bug was found by Codenomicon, who write tools that test the behavior of running code for security vulnerabilities, I'd say that it's probably unlikely that this bug was found by someone eye-balling the code, and they can (and do) use exactly the same techniques on Microsoft's code, so there's absolutely no reason that you couldn't pay to have them reciprocate the favor.

      Unless you're a freetard, of course.

      1. Rick Giles
        Mushroom

        Re: Microsoft et al are Linux's best friend...

        "Unless you're a freetard, of course."

        I thought I banned that term as hate speech.

  4. Destroy All Monsters Silver badge
    Trollface

    Someone is actually using GnuTLS?

    GnuTLS considered harmful

    Date: Sat, 16 Feb 2008 13:12:31 -0800

    "Looking across more of their APIs, I see that the code makes liberal use of strlen and strcat, when it needs to be using counted-length data blobs everywhere. In short, the code is fundamentally broken; most of its external and internal APIs are incapable of passing binary data without mangling it. The code is completely unsafe for handling binary data, and yet the nature of TLS processing is almost entirely dependent on secure handling of binary data.

    I strongly recommend that GnuTLS not be used. All of its APIs would need to be overhauled to correct its flaws and it's clear that the developers there are too naive and inexperienced to even understand that it's broken."

    Well, maybe it has been fully rewritten since then but I doubt it.

    1. Daniel Palmer

      Re: Someone is actually using GnuTLS?

      Maybe you should have read some of the follow ups:

      http://www.openldap.org/lists/openldap-devel/200802/msg00076.html

      There are reasons that GnuTLS has to be used in some situations and it's not because of it's fantastic quality.

      I'm also not sure what your comment brings to the table either really. So GnuTLS is internally quite badly implemented or at least it was in 2008. So because of that people shouldn't try to fix security issues in it? Every time C is mentioned you keep making out like there is some amazing alternative out there but never seem to actually say what it is.. Do you have a replacement for GnuTLS that is GPL compatible and will just plug into all of the apps out there that are using GnuTLS?

      1. sabroni Silver badge

        Re: There are reasons that GnuTLS has to be used in some situations

        Followed that link. The comment basically says "we have to use it as it's the only one compatible with the licences". I don't see how that follows the initial post that says "most of its external and internal APIs are incapable of passing binary data without mangling it". Surely if the only licensable option is insecure then someone's going to have to write a new one or fix the old one.

        The original post quoted said "it needs to be using counted-length data blobs everywhere". Isn't this the "amazing alternative" you're asking for?

        1. Daniel Palmer

          Re: There are reasons that GnuTLS has to be used in some situations

          >I don't see how that follows the initial post that says

          The original post is suggesting that GnuTLS is bad. No one has said it isn't. There are reasons that OpenSSL can't be used in some places. And OpenSSL is just as hairy if the recent noise about it is to be believed. So GnuTLS is badly implemented according to one email 6 years ago. Whoopee.

          >Isn't this the "amazing alternative" you're asking for?

          Can I compile that email into a library that applications that link against GnuTLS can use?

          1. Destroy All Monsters Silver badge
            Holmes

            Re: There are reasons that GnuTLS has to be used in some situations

            I'm also not sure what your comment brings to the table either really.

            What kind of "Could well be Unfit for Purpose" is unclear to you?

            The original post is suggesting that GnuTLS is bad. No one has said it isn't.

            Thus GNU License trumps Fitness For Purpose.

            The sadness of License True Believers (LTBs) in a double negative.

            With that kind of attitude, you ain't gonna get much traction, kid.

            1. Daniel Palmer

              Re: There are reasons that GnuTLS has to be used in some situations

              @Destroy All Monsters

              >What kind of "Could well be Unfit for Purpose" is unclear to you?

              According to one guy 6 years ago. And this is about a patch that apparently fixes some of it's crapness. Anyone would think you would be happy.

              >Thus GNU License trumps Fitness For Purpose.

              >The sadness of License True Believers (LTBs) in a double negative.

              I don't like the GPL in some cases. That doesn't stop other people licensing their stuff under the GPL (I know right, people doing what they like with their own stuff, inconsiderate bastards) but if it's GPL you have to follow the rules and that means a GPL licensed TLS library is required. There aren't many of those around. So I'm just glad people are taking the time to fix issues in GnuTLS because however shitty it is according to one random post you googled some people have to put up with it.

              >With that kind of attitude, you ain't gonna get much traction, kid.

              I don't know you but I'll use your impressive discussion technique. Bugger off old man, you're smelling up the joint.

          2. sabroni Silver badge

            Re: So GnuTLS is badly implemented according to one email 6 years ago

            Jesus, that post is rubbish. You go from "The original post is suggesting that GnuTLS is bad. No one has said it isn't." to "So GnuTLS is badly implemented according to one email 6 years ago" in the same paragraph, pausing only to say that OpenSSL is also shit. Is it possible that maybe you need a third, non-shit alternative?

            >> Can I compile that email into a library that applications that link against GnuTLS can use?<< No, but you could presumably submit a patch that used counted length data blobs instead of using strlen and strcat.

            1. Daniel Palmer

              Re: So GnuTLS is badly implemented according to one email 6 years ago

              >Is it possible that maybe you need a third, non-shit alternative?

              Yes, we need a non-shit TLS library that: Is multi-licensed so it can be linked with lots of existing software, has an API that is compatible with OpenSSL and/or GnuTLS so we can run existing binaries with it.. the count for workable opensource TLS libraries is probably around 5. Number of libraries that fit the previous requirements: 0. You know, it might be a good idea to fix security issues in libraries we depend on but can't readily replace!

              > No, but you could presumably submit a patch that used counted length data blobs

              Have you verified that the stated issue is A: actually an issue, B: still exists in the code base 6 years later, C: can be fixed without breaking the rest of the library? Nope. So you don't have an alternative, you have a posting on a forum,.. you know what I'll stick to having RedHat employees looking for and fixing stuff and Debian picking up those patches.

    2. Paul Crawford Silver badge

      Re: Someone is actually using GnuTLS?

      Hopefully like the heartbleed fall-out some big Linux corporate users/backers will put some money in to having it properly reviewed and re-written as needed.

      Instead of dicking around with the GUI yet again...

  5. Anonymous Coward 101

    How severe is this bug?

    How many people looked at this code before now?

    And how capable were they to find errors?

    If the answer to these questions is 1) very 2) few 3) not very, then we will know exactly how secure OSS is in practice, not theory.

    I don't care if I can look at the code myself - I'm not capable of verifying the code is sound, and I don't have the time anyway. I am relying on specialists to do this job, just as people rely on me to do the thing I specialise in. If I buy a car, I want the fucking brakes to work correctly. I will not be amused if the brakes fail, and I am chided for not having checked them over myself.

    1. ElReg!comments!Pierre

      Re: How severe is this bug?

      > I will not be amused if the brakes fail, and I am chided for not having checked them over myself.

      I think it's still among the first few things they teach young drivers:

      - check the tires

      - test the brakes

      So, your analogy kinda sucks, Of course you knew that already: it's a car analogy. These very rarely work.

      1. Anonymous Coward
        Anonymous Coward

        Re: How severe is this bug?

        >I think it's still among the first few things they teach young drivers:

        - check the tires

        - test the brakes

        Doing neither of these will prevent the brakes from failing or a tyre getting a puncture, the checks merely confirm at the time of the check (ie. before you started your journey) the brakes worked and the tyres had tread and were inflated.

        So in this case the analogy does sort of work.

    2. Anonymous Coward
      Anonymous Coward

      Re: How severe is this bug?

      If the answer to these questions is 1) very 2) few 3) not very, then we will know exactly how secure OSS is in practice, not theory.

      We already know that:

      In practice the botnets aren't made up of linux systems.

      In practice we don't have armies of IT techs running around disinfecting linux systems.

    3. plrndl
      Linux

      Re: How severe is this bug?

      "If I buy a car..."

      And if someone gives you a free car, and explicitly states that it is not guaranteed, and that you are responsible for determining its fitness for purpose...?

      1. Anonymous Coward 101

        Re: How severe is this bug?

        "And if someone gives you a free car, and explicitly states that it is not guaranteed, and that you are responsible for determining its fitness for purpose...?"

        Right, Linux is free, therefore nobody has any right to expect anything from it? And we have to determine 'fitness for purpose': the implication being that if someone want to stick Linux on an old laptop, they have to scour every line of code to ensure there are no fatal security bugs?

      2. heyrick Silver badge

        Re: How severe is this bug?

        So what you are saying is that "Linux is free and if parts of it suck, too bad, go fix it yourself"?

        Given these systems are deployed in what may be some fundamentally important parts of the Internet (hands up if your ADSL box/router isn't running some hack-job mashing up a cut-down Debian with Busybox), do you think that it is unreasonable to expect that the security side of things be a little higher standard than "too bad, it's free, what do you expect?".

        Oh, and as for the "fix it yourself" comments. Grow up. The number of people that can fiddle with a piece of code to fix a bug or two? Many. The number of people who understand said code well enough to fix an issue without subtly breaking a dozen other things? Considerably fewer. This is, of course, assuming that somebody with sufficient experience is willing to audit these changes before committing them, because if not...well, wouldn't that just be the mother of all nightmares.

        1. Anonymous Coward
          Anonymous Coward

          Re: How severe is this bug?

          Given these systems are deployed in what may be some fundamentally important parts of the Internet (hands up if your ADSL box/router isn't running some hack-job mashing up a cut-down Debian with Busybox), do you think that it is unreasonable to expect that the security side of things be a little higher standard than "too bad, it's free, what do you expect?".

          It's an odd thing isn't it?

          I had similar expectations of Windows when I saw that taking off. That because people had paid for it, those who designed it, and coded it, would have put the security and privacy of the users they sold it to, at the very heart of it. At least with open source you don't get known zero day exploits being ignored in the code base, by those who write it. We have seen that on the closed source OSs, like that IE one which was known about by security researchers for years, but MS never bothered to patch it.

          1. heyrick Silver badge

            Re: How severe is this bug?

            True, I rather suspect IE6 was simply a pile of interacting bugs that sort of approximated a browser. Thing is, though, that Internet Explorer is not critical to the functioning of the internet, and while I have not seen every router ever made, I've seen enough that do not run anything Windows.

            As for the zero days being fixed quickly - this is good to know but it is only useful for those of you with desktop machines and server class machines. Who is going to patch flaws in Liveboxes and Home Hubs? Who is going to issue firmware updates for WiFi bridges and all these little gadgets that are basically an ARM or MIPS-like SoC with a small Linux on FlashROM?

  6. Benchops

    List of software affected would be useful

    There's a bug! Sounds serious! Am I affected? ... dunno.

    Which software is actually affected? sshd? Apache/SSL? Psi/SSL? I don't know.

    FTA: "Users of other affected software will have to sit tight until their developers incorporate the fix. Until then, they'll remain open to malware attacks."

    Well, no, they could turn off the affected systems until a patch makes it downstream to their distro repositories, or even patch the affected library themselves, but since you're not reporting the affected software I have no idea if I should be bothered! For "I" read "lots of your readers" ;)

    1. Vic

      Re: List of software affected would be useful

      > Which software is actually affected?

      From my current repository set :-

      aiccu

      aria2

      ario

      buoh

      cairo-dock-plug-ins

      claws-mail

      claws-mail-plugins-bogofilter

      claws-mail-plugins-dillo

      claws-mail-plugins-pgp

      claws-mail-plugins-smime

      claws-mail-plugins-spamassassin

      clementine

      climm

      csync2

      cups

      cups-ipptool

      cups-libs

      cups-lpd

      cups-php

      ekg2-jabber

      empathy

      evolution-exchange

      filezilla

      freeDiameter

      freetds

      gedit-collaboration

      glib-networking

      gloox

      gnome-mplayer

      gnomint

      gnustep-base

      gnutls-c++

      gnutls-devel

      gnutls-guile

      gnutls-utils

      gstreamer-plugins-bad

      gtk-gnutella

      gtkpod

      gtk-vnc

      gtk-vnc2

      gtk-vnc-python

      gvfs-afc

      gvnc

      gvnc-tools

      gwenhywfar

      gwenhywfar-gui-qt4

      ifuse

      iksemel

      iksemel-utils

      infinoted

      jd

      kazehakase-base

      kazehakase-ruby

      kipi-plugins

      lftp

      libabiword

      libepc

      libepc-ui

      libetpan

      libgadu

      libgpod

      libguestfs

      libimobiledevice

      libimobiledevice-python

      libinfinity

      libinfinity-gtk

      libmicrohttpd

      libnussl

      libprelude

      libpreludedb

      libpreludedb-mysql

      libpreludedb-pgsql

      libpreludedb-python

      libpreludedb-sqlite

      libprelude-devel

      libprelude-python

      libprelude-ruby

      libpurple

      librtmp

      libsoup22

      libsyncml

      libvirt

      libvirt-client

      libvirt-python

      libvmime

      libvncserver

      loudmouth

      mod_gnutls

      mpop

      msmtp

      mutt

      neon

      net6

      ngircd

      nntpgrab-core

      nntpgrab-server

      nntpgrab-server-gtk

      ntfsprogs

      nzbget

      openconnect

      openvas-client

      openvas-libraries

      openvas-manager

      openvas-scanner

      pacemaker

      pacemaker-cli

      pacemaker-cluster-libs

      pacemaker-libs

      postal

      prelude-lml

      prelude-manager

      prelude-manager-db-plugin

      prelude-manager-smtp-plugin

      python-gnutls

      python-gpod

      qemu-system-arm

      qemu-system-cris

      qemu-system-m68k

      qemu-system-mips

      qemu-system-sh4

      qemu-system-x86

      qutim-jabber

      rhythmbox

      rsyslog-gnutls

      rtmpdump

      sslogger

      sslogger-slogd

      suricata

      telepathy-gabble

      telepathy-salut

      tigervnc

      tigervnc-server

      tigervnc-server-minimal

      tigervnc-server-module

      vino

      vlc-core

      vpnc

      weechat

      wine-core

      wireshark

      xen-runtime

      xfce4-mailwatch-plugin

      xmlsec1-gnutls

      Most of that isn't installed on my machine...

      Vic.

    2. vagabondo

      Re: List of software affected would be useful

      from http://gnutls.org/security.html

      This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client.

      This is GPL, so (9unlike the Apache licensed openSSL TLS) it cannot be hidden inside a closed-source package. You would have to be using a Free browser, mail client etc. that uses libgnutls to be vulnerable. Your system's package manager tools should be able to tell you if the GNU tls library is loaded, what version, and what other software depends on it.

      We manage a fleet of openSuSE servers and desktops. None of the servers has this library. Many of the desktops (openSuSE/KDE) do have libgnutls as a requirement of the library as a ffmpeg decoder package (from the third party Packman repositories) dependency, but I cannot determine whether the certificate verification function is ever called.

  7. 1Rafayal

    So does this mean that the Open Source movement are making the same mistakes as the likes of MS, Oracle et al? But just in a different way...

    1. vagabondo

      making the same mistakes

      All programmers make these (i.e. programming) mistakes, irrespective of who they are working for. The difference is that Free software producers publish there code for inspection and correction. The proprietary software producers keep their mistakes hidden, and reserve the capability of correcting them; mostly the fixes only follow exploitation.

      1. Anonymous Coward
        Anonymous Coward

        @ vagabondo Re: making the same mistakes

        This bug was found by a company that makes software tools that tests the behavior of compiled code, so it probably wasn't discovered by someone poring over a printout of the gnutls code.

        The fact that this is an open source library probably had nothing at all to do with this bug being uncovered - it was probably found in exactly the same way that bug would be covered in a closed-source application.

    2. Roland6 Silver badge

      Re: Open Source movement are making the same mistakes ...

      Yes and no!

      I suggest, the media spotlight is helping to push the Open Source movement to become more professional and focused on the quality of their product and specifically it's security, due in part to the increasing visibility and use of Open Source. Which is something MS had to face up to and address years back with XP (and release SP2) and has resulted in the adoption of software engineering practises, which have resulted in a steady stream of security updates to Windows and each new version of Windows including additional security features.

      So yes I agree the Open Source movement are making the same mistakes, or falling into the same traps, the question is whether it can get itself out of them. To my mind the Open Source movement needs to have put these problems behind it so that it can gain from Windows 7 et al going end of life in Jan-2020. This may mean that quality Open Source no longer equates to free, which will upset some people...

      1. 1Rafayal

        Re: Open Source movement are making the same mistakes ...

        @vagabondo - so if all the code is freely available for people to pore over and check for mistakes, how did this one slip through the net? My initial post asked if they are making the same mistakes as closed source developers, but in a different way. Regardless, all software needs to go through a QA process, irrespective of it being open source or not.

        @Roland6

        Precisely, as open source software gains more ground in the real world, more and more people are going to be contributing to it. If the existing QA process doesnt work, i.e. if they rely on the world at large to spot bugs in working systems, doesnt it mean that the open source community needs to spend time going through things like basic regression? OR somehow come up with a better QA process?

        Also, why are there so many open source projects that have a free community edition that doesnt have all the features you need, and an enterprise version which does. For example, the difference between Puppet and Puppet Enterprise.

        1. midcapwarrior

          Re: Open Source movement are making the same mistakes ...

          "Precisely, as open source software gains more ground in the real world, more and more people are going to be contributing to it"

          Sorry, the first does not automatically lead to the second. It may but it is far form automatic.

          They would need skill and time to contribute in a meaningful way. Especially with the gnarly nasty bits of security/encryption and the like.

          Those are specialties which require a great deal of training and experience. Not something the casual hacker is likely to have.

        2. Roland6 Silver badge

          Re: Open Source movement are making the same mistakes ...

          @1Rafayal

          " as open source software gains more ground in the real world, more and more people are going to be contributing to it"

          No the main reason why Open Source is getting attention is that it is more visible and more people are using it, hence there is a bigger market for news etc. about it.

          Yes with an increased presence in the market, we can expect more people to be interested in contributing, which will need to be managed through some sort of apprenticeship, which should involve code reading...

          Re: Community v. Enterprise Editions

          Yes some segments of the Open Source community are getting quite commercial, but then if you want quality developers on your project, you have to pay...

          1. 1Rafayal

            Re: Open Source movement are making the same mistakes ...

            Your last comment there: "if you want quality developers on your project, you have to pay..."

            Do you mean to suggest that the open source projects, the free stuff, dont have the same quality of developer working on them?

            1. h4rm0ny

              Re: Open Source movement are making the same mistakes ...

              >>"Do you mean to suggest that the open source projects, the free stuff, dont have the same quality of developer working on them?"

              You're obviously not as familiar with Open Source as you think you are. The majority of big projects (all of them?) have paid developers working on them. Do you think someone with Linus Torvalds' level of ability is sitting there working away on the Linux kernel and managing it for free?

            2. Roland6 Silver badge

              Re: Open Source movement are making the same mistakes ...

              @1Rafayal

              "Do you mean to suggest that the open source projects, the free stuff, dont have the same quality of developer working on them?"

              No, I deliberately left the word 'pay' stand without qualification!

              In general however, my take is that for Open Source to progress beyond the hobbyist/amateur phase, and truly become a credible alternative to proprietary offerings, it has to become much more professional in it's development, delivery and customer interface, which effectively means walking the talk and becoming a business: saying you're going to deliver xyz functionality, by a date and doing exactly that, likewise when users/customers encounter problems, being able to commit to fixing them. The only way you can reliably do this is to pay people.

              A rhetorical question is to consider where would Linux be without the commercially backed distributions?

  8. Will Godfrey Silver badge

    Yawn

    As well as reading about this on various sites, this morning as I opened Claws Mail there was a notificaton for their list subscribers advising a check with their distro.

    Fired up Synaptic, and yes; there was a security upgrade already available.

    A few minutes. Job done :)

    Thanks guys - I've got a bit of spare cash so will make a few donations.

    I can't remember any commercial organisations of any sort responding like that.

  9. JeffyPoooh
    Pint

    Hmmm...

    Why not write *one* (1) generic input routine, with a bunch of parameters to make it a universal solution, and then simply ruggedize, almost militarize, and perfect that one routine? This one Universal input routine would deliver on a platter the required data, all sanitized and safe.

  10. Uncle Ron

    Buffer Overflow

    I have never written a line of code in my life. Also, I'm not a processor or logic designer. Or an engineer of any sort. So, here goes: It seems that many/most of these bugs/malicious things cause a "buffer overflow." Why is it not possible to simply design in to the HW or SW an absolute stop on buffer overflows under ANY circumstances. Put a brick wall around the "buffer" and don't let anything "overflow" it. If something overflows it just shuts down. Like a sump pump. Huh?

    1. Vic

      Re: Buffer Overflow

      Why is it not possible to simply design in to the HW or SW an absolute stop on buffer overflows under ANY circumstances. Put a brick wall around the "buffer" and don't let anything "overflow" it. If something overflows it just shuts down

      It is possible.

      But to do it in the terms you specify requires hardware support (which not all CPUs have), and is extraordinarily expensive at run-time; your computer will end up running like a complete dog.

      So what's done instead is to *check* that the operation you're performing on a buffer is appropriate - you *check* that the operation stays within the buffer and does things it's allowed to do.

      But some people don't. And that's why you get buffer over-runs.

      Vic.

    2. Paul Crawford Silver badge

      Re: Buffer Overflow

      It is possible, but often not done for historical or laziness reasons.

      The most common problems are copying or printing a string of characters in to a destination that is too small, so it overflows into somewhere else that can then be exploited. The usual culprits in the C/C++ language are strcpy() and sprintf() (and similar) but you can often use alternatives such as strncpy() and snprintf() instead which take the destination size and enforce that limit (though with strncpy() you should also enforce nul-termination of the string as it won't do that).

      If the destination buffer is allocated by the malloc() family, then in Linux you can also use the electricfence library for debugging and that puts each buffer in to a separate page and any violation results in a segmentation fault that you can then debug from the core dump. However, you would not normally use electricfence that for release code as it has a performance penalty, it is really intended for testing and debugging.

  11. Gene Cash Silver badge

    Huge list of things dependent on 2.12 STILL

    In Debian Testing, libgnutls28 is 3.2.14, so I can upgrade that when it comes out.

    However, I have a ton of stuff still dependent on libgnutls26 (2.12.23-15)

    pidgin, libreoffice, virtualbox, xine, gnome-keyring, pavucontrol from pulseaudio, mplayer, smb-client, wireshark, emacs, x11vnc, curl, git, glib-networking...

    Is that going to be patched? I don't think so...

  12. Anonymous Coward
    Anonymous Coward

    _NSAkey

    _NSAkey

    Because.

    1. Anonymous Coward
      Anonymous Coward

      Re: _NSAkey

      Purely by coincidence, the man who brought you the NSAkey story has a major story on El Reg this week. Worth a read, if you still have any vestige of belief in 'security'.

  13. foo_bar_baz

    Class of bugs

    Codenomicon makes a fuzzing tool. It will find bugs human testers and reviewers won't often find. We hear about this bug because it's an open source library and Codenomicon test OSS and release the results, as a free service if you like.

    Software companies who are Codenomicon clients (or use other similar tools) will find bugs and patch them up on the quiet. Companies that don't do such testing probably won't find them. In neither case will we read about it on The Reg.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021