Unsafe use of g_random_int()

Eion Robb eion at robbmob.com
Mon Aug 17 17:55:21 EDT 2015


Here's a win32 func for you to use instead of /dev/urandom.

Technically, we're still building to target win2k (even though our GTK is
only XP or higher), but this patch only works on XP or higher.   Don't know
if that's an issue here, or whether bumping windows version requirements is
outside of scope for a minor/micro build.

Cheers,
Eion


On 16 August 2015 at 05:44, Michael McConville <mmcconville at mykolab.com>
wrote:

> Ethan Blanton wrote:
> > Folks,
> >
> > What we need to decide here is whether we should do a coordinated
> > release for this.  Mike is prepared to put a CSPRNG in purple 2 (using
> > /dev/urandom), and purple 3 will have a proper RNG interface in
> > purple_util (using an SSL library if available, and urandom if not).
> >
> > This is certainly a security-related bug.  I think it should have a
> > CVE.  I don't think it's readily exploitable due to its position (even
> > with a non-CSPRNG, 64 bits of identical data is unlikely, and this
> > nonce is only created on a connection attempt -- so the number of
> > times you create it will be relatively low, and attacking it would
> > involve auth failures, which you'd notice), but it's still bad.
> >
> > I will help Mike through requesting a CVE from our RH friends.
> >
> > But ... do we just publish the CVE, fix it and let it sit until the
> > next purple-2 release, or do we coordinate a purple-2 release for
> > shortly after GSoC with this fix in place?  Thoughts?
> >
> > Ethan
>
> Repo, for those interested:
>
>         https://hg.pidgin.im/soc/2015/mmcc/rand
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150818/4daac4d8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: win32dep.crypto.patch
Type: application/octet-stream
Size: 2167 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150818/4daac4d8/attachment.obj>


More information about the security mailing list