GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Package: emacs;

Reported by: Demetri Obenour <demetriobenour <at> gmail.com>

Date: Fri, 18 Dec 2015 10:09:01 UTC

Severity: normal

Tags: security

Found in version 24.5

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #124 received at 22202 <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: John Wiegley <johnw <at> gnu.org>, Eli Zaretskii <eliz <at> gnu.org>
Cc: rcopley <at> gmail.com, 22202 <at> debbugs.gnu.org, deng <at> randomsample.de
Subject: Re: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to
 random number generator attack on Windows systems
Date: Tue, 19 Jan 2016 09:38:23 -0800

On 01/19/2016 09:03 AM, John Wiegley wrote:
> What critical feature is GnuTLS buying for us that would make this worthwhile,
> Paul?

There is nothing "critical" here. This is just a minor issue, one that 
has been blown all out of proportion. Using GnuTLS when available 
lessens use of system resources and simplifies auditing, but Emacs could 
get by without this minor bugfix-improvement.

> why do we need a dependency on GnuTLS

There isn't a dependency on GnuTLS in the usual sense: that is, if 
GnuTLS is absent, the code still works as before. The only dependency is 
that we trust the GnuTLS library to work when it is present, and to 
report an error if one occurs. This is a reasonable assumption, both 
here and elsewhere in Emacs.
This bug report was last modified 9 years and 179 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.