GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Package: emacs;

Reported by: Demetri Obenour <demetriobenour <at> gmail.com>

Date: Fri, 18 Dec 2015 10:09:01 UTC

Severity: normal

Tags: security

Found in version 24.5

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Richard Copley <rcopley <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 22202 <at> debbugs.gnu.org, Demetri Obenour <demetriobenour <at> gmail.com>, David Engster <deng <at> randomsample.de>
Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems
Date: Thu, 31 Dec 2015 20:44:18 +0000

>> >> What Demetri has just described is what I would do.
>> >
>> >Now I'm confused: do what?
>>
>> As I understand it: Provide a function callable from lisp that returns
>> a cryptographically secure sequence of random bytes, of a specified
>> length. Use that function to generate the server secret.
>
> That's what my patch does.

A separate function from "random".

>> >We still need to support 'random' with an
>> >argument, so we cannot get rid of seeding a PRNG with a known value.
>> >And I didn't want to remove srandom.
>>
>> Given the above, we could leave "random", etc., as they are, or we
>> could use a better PRNG and/or seed with system entropy. It would
>> no longer be tied up with this issue report.
>
> Patches welcome, as I said already.

You asked me a question.
This bug report was last modified 9 years and 179 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.