GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Full log

Message #112 received at 22202 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: rcopley <at> gmail.com, 22202 <at> debbugs.gnu.org, deng <at> randomsample.de
Subject: Re: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to
 random number generator attack on Windows systems
Date: Mon, 18 Jan 2016 21:34:12 -0800

Eli Zaretskii wrote:

> We all silently fix blunders and other trivial problems; this wasn't one of
> them.

I thought it a trivial matter; evidently I was mistaken. My apologies.

> AFAICS, we close the file descriptor as soon as we finished reading.
> So unless GnuTLS initialization is run in another thread, there won't
> be 2 descriptors at the same time.

GnuTLS keeps /dev/urandom open indefinitely. If Emacs opens /dev/urandom 
independently it can have two file descriptors open to the same file. Yes, it's 
not a huge deal performance-wise; but it is strange, and when doing security 
audits it will be one more thing to explain.

> But where we need to seed our own PRNG, we better had a good idea of
> what we do and what kind of randomness we get.

Any worries we might have about GnuTLS's randomness apply with equal force to 
/dev/urandom's. After all, /dev/urandom is not guaranteed to be random.

Really, though, if we can't trust GnuTLS to give us random data, we should not 
trust it for communications security at all. Nonces are that basic.

> So what is special about GnuTLS?

GnuTLS already has the random data we need; other libraries don't.

I installed the documentation patch, since it does seem a minor improvement. 
Yes, the doc could have been improved ages ago, but late is better than never.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.