Unsafe use of g_random_int()

Richard Laager rlaager at wiktel.com
Sat Aug 15 12:46:07 EDT 2015


On 08/15/2015 11:30 AM, Ethan Blanton wrote:
> Mike is prepared to put a CSPRNG in purple 2 (using
> /dev/urandom), and purple 3 will have a proper RNG interface in
> purple_util (using an SSL library if available, and urandom if not).

Why can't the proper RNG interface go into purple 2 with a minor version 
bump?

> But ... do we just publish the CVE, fix it and let it sit until the
> next purple-2 release, or do we coordinate a purple-2 release for
> shortly after GSoC with this fix in place?  Thoughts?

I think we should release as soon as possible. Cutting another release, 
for any reason, will allow us to get the signatures right. We're getting 
complaints about the Windows installer and about Mark's signatures on 
the tarballs being from an old, revoked key.

-- 
Richard


More information about the security mailing list