@hyc @carnildo From what I can tell, the check for permitted algorithms is after RSA_public_decrypt() has already been called, at least on some relevant paths.
Notices by AndresFreundTec (andresfreundtec@mastodon.social)
-
AndresFreundTec (andresfreundtec@mastodon.social)'s status on Tuesday, 09-Apr-2024 06:34:14 UTC AndresFreundTec -
AndresFreundTec (andresfreundtec@mastodon.social)'s status on Monday, 08-Apr-2024 23:23:44 UTC AndresFreundTec I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.
Really required a lot of coincidences.
-
AndresFreundTec (andresfreundtec@mastodon.social)'s status on Monday, 08-Apr-2024 23:23:44 UTC AndresFreundTec I accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
-
AndresFreundTec (andresfreundtec@mastodon.social)'s status on Monday, 08-Apr-2024 23:23:38 UTC AndresFreundTec @praseodym Hah. I've apparently been doing this stuff for a while.
-
AndresFreundTec (andresfreundtec@mastodon.social)'s status on Sunday, 31-Mar-2024 12:37:24 UTC AndresFreundTec I wholeheartedly agree with what Russ wrote here:
"Also if there's anything the community can do for Lasse personally, please pass that along."
"Anyone can be the victim of social engineering."
"I suspect many of us here have had nightmares about being in Lasse's
position, and probably will have more of them in the future."Indeed.