On Tue, 2013-04-16 at 11:11 -0400, manc...@hush.com wrote:
> Hello.
>
> I came across a thread that discusses a recent PostgreSQL security
> fix (for CVE-2013-1900). The discussion raises the possibility the
> problem lies in OpenSSL's fork protection code.
>
> Full thread here: http://marc.info/?t=136579421000001&r=1&w=2
If gettimeofday() was mixed in during the RNG reads, the vulnerability
would be prevented. Of course it would not prevent the case where the
attacker has access to the internal state of the parent process but that
is a different attack that could be prevented only by reseeding on forks
(or when a pid change is detected).
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
