[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#559107: weaknesses in BSD PRNG algorithms

severity 559107 normal

On Thu, Dec 03, 2009 at 02:01:06PM +0100, Petr Salinger wrote:
> severity 559107 important
> --
> >But the status of CVE-2008-114[678] is still open. Do they affect the
> >KFreeBSD port? What's the position of the FreeBSD kernel developers on
> >these issues?
> I used as description this
> http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf
> The GNU/kFreeBSD (kfreebsd-?) is not affected by CVE-2008-1146 and CVE-2008-1148 at all.

Thanks, fixed in the Debian Security Tracker.

> For CVE-2008-1147 holds:
>   Exploitations of the predictability of the IP fragmentation ID were made
>   public almost a decade ago.
>   NetBSD, FreeBSD and DragonFlyBSD do not randomize IP fragmentation ID
>   field at all by default, and provide a kernel flag
>   (net.inet.ip.random_id) that enables randomization through the weak algorithm.
> The weak algorithm have been replaced by upstream commit (Feb 6 2008)
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.10;contenttype=
>   Replace the random IP ID generation code we
>   obtained from OpenBSD with an algorithm suggested
>   by Amit Klein.  The OpenBSD algorithm has a few
>   flaws; see Amit's paper for more information.
>   For a description of how this algorithm works,
>   please see the comments within the code.
>   Note that this commit does not yet enable random IP ID
>   generation by default.  There are still some concerns
>   that doing so will adversely affect performance.
> This commit have not been MFC-ed to STABLE-7.
> The default value for net.inet.ip.random_id is 0 even in HEAD,
> The FreeBSD developers/security_team did publish no "security
> advisory", no "errata notice", they did not include it in next
> release (7.1 - January 2009).

If I understand it correctly, this means that the fix is present in
kfreebsd-8, but not kfreebsd-7? Not having it enabled by default seems
good enough to me.

Will Squeeze use kfreebsd-7 or -8 or both?


Reply to: