GNU bug report logs - #22202
24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems

Previous Next

Package: emacs;

Reported by: Demetri Obenour <demetriobenour <at> gmail.com>

Date: Fri, 18 Dec 2015 10:09:01 UTC

Severity: normal

Tags: security

Found in version 24.5

Done: Eli Zaretskii <eliz <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #88 received at 22202 <at> debbugs.gnu.org (full text, mbox):

From: Richard Copley <rcopley <at> gmail.com>
To: Paul Eggert <eggert <at> cs.ucla.edu>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 22202 <at> debbugs.gnu.org,
 Andreas Schwab <schwab <at> linux-m68k.org>,
 Demetri Obenour <demetriobenour <at> gmail.com>,
 David Engster <deng <at> randomsample.de>
Subject: Re: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to
 random number generator attack on Windows systems
Date: Mon, 18 Jan 2016 14:40:05 +0000

On 18 January 2016 at 01:42, Paul Eggert <eggert <at> cs.ucla.edu> wrote:
> Andreas Schwab discovered a problem with my patch in that GnuTLS wasn't
> initialized, and reverted the GnuTLS part of it. As I understand it, newer
> versions of GnuTLS initialize themselves when they are loaded and so do not
> run into the issue; I tested with GnuTLS 3.3.15, which I suppose is new
> enough. I attempted to fix this problem in the followup commit
> 130d512045aa376333b664d58c501b3884187592.
>
> Andreas's commit also changed some unrelated style issues, which I reverted;
> that is merely a longrunning stylistic disagreement, and right now is not a
> good time to be changing style in code unrelated to fixes.

I can't build from the current sources; the error is:

  CCLD     temacs.exe
sysdep.o: In function `init_random':
C:/emacs/repo/emacs/src/sysdep.c:2108: undefined reference to `gnutls_rnd'
C:/emacs/repo/emacs/src/sysdep.c:2108:(.text+0xf38): relocation
truncated to fit: R_X86_64_PC32 against undefined symbol `gnutls_rnd'
collect2.exe: error: ld returned 1 exit status

Configuration details (from last good build):

In GNU Emacs 25.0.50.1 (x86_64-w64-mingw32)
 of 2016-01-14 built on 60678UHB
Repository revision: dadb841a06aa1ffd6d17c04ef83140dbd1ad7307
Windowing system distributor 'Microsoft Corp.', version 6.1.7601
Configured using:
 'configure --prefix /c/emacs/emacs-20160114-182403
 --without-imagemagick --disable-dependency-tracking
 --enable-locallisppath=%emacs_dir%/../site-lisp 'CFLAGS=-Og -g -ggdb''

Configured features:
XPM JPEG TIFF GIF PNG RSVG SOUND DBUS NOTIFY ACL GNUTLS LIBXML2 ZLIB
TOOLKIT_SCROLL_BARS
This bug report was last modified 9 years and 179 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.