Unsafe use of g_random_int()

Ethan Blanton elb at pidgin.im
Tue Oct 20 14:38:35 EDT 2015


Jorge VillaseƱor spake unto us the following wisdom:
> On Tue, Oct 20, 2015 at 10:34 AM, Ethan Blanton <elb at pidgin.im> wrote:
> 
> > Ethan Blanton spake unto us the following wisdom:
> > > > There's a more serious concern, though. Specifically, there are uses of
> > > > the Glib function g_random_int() to generate nonces in the Jabber SCRAM
> > > > and DIGEST_MD5 SASL code. The Glib docs state:
> > >
> > > My analysis of this is that it's dangerous, but unlikely to be
> > > immediately exploitable.  I think we should fix it, have a CVE issued,
> > > and then coordinate the next normal release of Pidgin.  I don't think
> > > we need to push a release for this.
> >
> > We never really made a decision on this front.  The GSoC stuff is now
> > being merged; James's Facebook prpl has already been merged.  I think
> > we should set a date for libpurple 2.11 (Maybe early November?),
> > request a CVE, and get this process started.  Please weigh in on this.
> >
> > Ethan
> >
> 
> Early November looks good to me.
> 
> What is needed to be done? Merge Michael's code from the rand repo and ask
> for the CVE?

For this particular bug, yeah.  Michael, is that entirely correct?

Ethan


More information about the security mailing list