Unsafe use of g_random_int()
Ethan Blanton
elb at pidgin.im
Tue Oct 20 13:34:55 EDT 2015
Ethan Blanton spake unto us the following wisdom:
> > There's a more serious concern, though. Specifically, there are uses of
> > the Glib function g_random_int() to generate nonces in the Jabber SCRAM
> > and DIGEST_MD5 SASL code. The Glib docs state:
>
> My analysis of this is that it's dangerous, but unlikely to be
> immediately exploitable. I think we should fix it, have a CVE issued,
> and then coordinate the next normal release of Pidgin. I don't think
> we need to push a release for this.
We never really made a decision on this front. The GSoC stuff is now
being merged; James's Facebook prpl has already been merged. I think
we should set a date for libpurple 2.11 (Maybe early November?),
request a CVE, and get this process started. Please weigh in on this.
Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20151020/1d1158dc/attachment.sig>
More information about the security
mailing list