GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Package: emacs;

Reported by: Demetri Obenour <demetriobenour <at> gmail.com>

Date: Fri, 18 Dec 2015 10:09:01 UTC

Severity: normal

Tags: security

Found in version 24.5

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eli Zaretskii <eliz <at> gnu.org>
To: Richard Copley <rcopley <at> gmail.com>
Cc: 22202 <at> debbugs.gnu.org, demetriobenour <at> gmail.com, deng <at> randomsample.de
Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems
Date: Wed, 30 Dec 2015 22:56:29 +0200

> Date: Wed, 30 Dec 2015 20:47:40 +0000
> From: Richard Copley <rcopley <at> gmail.com>
> Cc: David Engster <deng <at> randomsample.de>, 22202 <at> debbugs.gnu.org, 
> 	Demetri Obenour <demetriobenour <at> gmail.com>
> 
> Re performance: using CryptGenRandom to provide a seed for srand
> is enough to address Demetri's concern. For performance reasons,
> as you said, implementing random() with CryptGenRandom is
> potentially bad. I think random() itself should not be changed.

That'd be the worst of both worlds, IMO: a not-so-good PRNG with no
way whatsoever to get a repeatable sequence.  Am I right?

This bug report was last modified 9 years and 179 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #22202 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems