Unsafe use of g_random_int()
Jorge VillaseƱor
salinasv at gmail.com
Tue Oct 20 14:32:28 EDT 2015
On Tue, Oct 20, 2015 at 10:34 AM, Ethan Blanton <elb at pidgin.im> wrote:
> Ethan Blanton spake unto us the following wisdom:
> > > There's a more serious concern, though. Specifically, there are uses of
> > > the Glib function g_random_int() to generate nonces in the Jabber SCRAM
> > > and DIGEST_MD5 SASL code. The Glib docs state:
> >
> > My analysis of this is that it's dangerous, but unlikely to be
> > immediately exploitable. I think we should fix it, have a CVE issued,
> > and then coordinate the next normal release of Pidgin. I don't think
> > we need to push a release for this.
>
> We never really made a decision on this front. The GSoC stuff is now
> being merged; James's Facebook prpl has already been merged. I think
> we should set a date for libpurple 2.11 (Maybe early November?),
> request a CVE, and get this process started. Please weigh in on this.
>
> Ethan
>
Early November looks good to me.
What is needed to be done? Merge Michael's code from the rand repo and ask
for the CVE?
--
Masca
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20151020/37db340b/attachment.html>
More information about the security
mailing list