GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Package: emacs;

Reported by: Demetri Obenour <demetriobenour <at> gmail.com>

Date: Fri, 18 Dec 2015 10:09:01 UTC

Severity: normal

Tags: security

Found in version 24.5

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #71 received at 22202 <at> debbugs.gnu.org (full text, mbox):

From: Richard Copley <rcopley <at> gmail.com>
To: Eli Zaretskii <eliz <at> gnu.org>
Cc: 22202 <at> debbugs.gnu.org, Demetrios Obenour <demetriobenour <at> gmail.com>,
 David Engster <deng <at> randomsample.de>
Subject: Re: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to
 random number generator attack on Windows systems
Date: Thu, 31 Dec 2015 17:47:18 +0000

That last patch would still improve matters. The user would have
to be publishing the output of their PRNG to begin with in order
for the attacker to analyse it and guess the seed. (I don't know
how one could do that but that's no proof that it's impossible.)

What Demetri has just described is what I would do. (Sorry
again that I can't assist with a patch.)

+  if (w32_crypto_hprov)
+    w32_init_crypt_random ();

should be

+  if (! w32_crypto_hprov)
+    w32_init_crypt_random ();

This bug report was last modified 9 years and 179 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #22202 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems