Unsafe use of g_random_int()
Ethan Blanton
elb at pidgin.im
Sat Aug 15 12:52:12 EDT 2015
Richard Laager spake unto us the following wisdom:
> On 08/15/2015 11:30 AM, Ethan Blanton wrote:
> >Mike is prepared to put a CSPRNG in purple 2 (using
> >/dev/urandom), and purple 3 will have a proper RNG interface in
> >purple_util (using an SSL library if available, and urandom if not).
>
> Why can't the proper RNG interface go into purple 2 with a minor version
> bump?
I haven't looked closely, it might be able to. I know it requires
adding an SSL API function, I don't know if there was room for that in
the struct or if it had to be extended. We're going to require a
minor version bump anyway, to add the rng function.
Michael, do you think the whole thing is appropriate for 2.x.y?
> >But ... do we just publish the CVE, fix it and let it sit until the
> >next purple-2 release, or do we coordinate a purple-2 release for
> >shortly after GSoC with this fix in place? Thoughts?
>
> I think we should release as soon as possible. Cutting another release, for
> any reason, will allow us to get the signatures right. We're getting
> complaints about the Windows installer and about Mark's signatures on the
> tarballs being from an old, revoked key.
That's a fair consideration.
And if we're going to release Soon, we might as well coordinate.
Ethan
More information about the security
mailing list