Unsafe use of g_random_int()
salinasv at gmail.com
Tue Oct 20 14:32:28 EDT 2015
On Tue, Oct 20, 2015 at 10:34 AM, Ethan Blanton <elb at pidgin.im> wrote:
> Ethan Blanton spake unto us the following wisdom:
> > > There's a more serious concern, though. Specifically, there are uses of
> > > the Glib function g_random_int() to generate nonces in the Jabber SCRAM
> > > and DIGEST_MD5 SASL code. The Glib docs state:
> > My analysis of this is that it's dangerous, but unlikely to be
> > immediately exploitable. I think we should fix it, have a CVE issued,
> > and then coordinate the next normal release of Pidgin. I don't think
> > we need to push a release for this.
> We never really made a decision on this front. The GSoC stuff is now
> being merged; James's Facebook prpl has already been merged. I think
> we should set a date for libpurple 2.11 (Maybe early November?),
> request a CVE, and get this process started. Please weigh in on this.
Early November looks good to me.
What is needed to be done? Merge Michael's code from the rand repo and ask
for the CVE?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Q: What is the most annoying thing on usenet and in e-mail?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security