| https://www.schneier.com/blog/archives/2008/05/random_number... >On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. The bug in question was caused by the removal of the following line of code from md_rand.c > MD_Update(&m,buf,j);
> [ .. ]
> MD_Update(&m,buf,j); /* purify complains */
>These lines were removed because they caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code that was linked to OpenSSL. You can see one such report to the OpenSSL team here. Removing this code has the side effect of crippling the seeding process for the OpenSSL PRNG. Instead of mixing in random data for the initial seed, the only “random” value that was used was the current process ID. On the Linux platform, the default maximum process ID is 32,768, resulting in a very small number of seed values being used for all PRNG operations. The most security focused uh? the distro where a maintainer modifies code he doesn't understand because valgrind complains about it? In one of the most important packages of a linux distribution? No.
Anyone who has had memories of this event would treat anything stamped with debian's name as nuclear waste. Debian has had many conflicts with upstream projects for their relentlessly idiotic patching. Firefox once prohibited Debian from using the FF trademarked name and debian in turn renamed firefox "Iceweasel" in their distribution to continue shipping their tainted version. I'd trust any of these : RHEL/Fedora, openSUSE, Gentoo and Arch over debian any day. |
To be fair, the maintenir had asked about the change on the project mailing list and was given the go ahead.
I too don’t like the general attitude of Debian towards patching but it’s an issue of the whole project. There is no need to single out someone.