Unsafe use of g_random_int()

Ethan Blanton elb at pidgin.im
Sat Aug 15 12:52:12 EDT 2015

Richard Laager spake unto us the following wisdom:
> On 08/15/2015 11:30 AM, Ethan Blanton wrote:
> >Mike is prepared to put a CSPRNG in purple 2 (using
> >/dev/urandom), and purple 3 will have a proper RNG interface in
> >purple_util (using an SSL library if available, and urandom if not).
> Why can't the proper RNG interface go into purple 2 with a minor version
> bump?

I haven't looked closely, it might be able to.  I know it requires
adding an SSL API function, I don't know if there was room for that in
the struct or if it had to be extended.  We're going to require a
minor version bump anyway, to add the rng function.

Michael, do you think the whole thing is appropriate for 2.x.y?

> >But ... do we just publish the CVE, fix it and let it sit until the
> >next purple-2 release, or do we coordinate a purple-2 release for
> >shortly after GSoC with this fix in place?  Thoughts?
> I think we should release as soon as possible. Cutting another release, for
> any reason, will allow us to get the signatures right. We're getting
> complaints about the Windows installer and about Mark's signatures on the
> tarballs being from an old, revoked key.

That's a fair consideration.

And if we're going to release Soon, we might as well coordinate.


More information about the security mailing list