GNU bug report logs - #6683
mktemp foo.XXXXXXXXXXX is not sufficiently random

Previous Next

Package: coreutils;

Reported by: Paul Eggert <eggert <at> CS.UCLA.EDU>

Date: Tue, 20 Jul 2010 17:22:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Eric Blake <eblake <at> redhat.com>
To: Paul Eggert <eggert <at> CS.UCLA.EDU>
Cc: 6683 <at> debbugs.gnu.org
Subject: bug#6683: mktemp foo.XXXXXXXXXXX is not sufficiently random
Date: Tue, 20 Jul 2010 11:41:29 -0600

[Message part 1 (text/plain, inline)]
On 07/20/2010 11:21 AM, Paul Eggert wrote:
> While looking at the random-number stuff I found a theoretical
> randomness bug in mktemp.  The mktemp command currently uses 8 bytes
> of randomness to generate a file name, so with an invocation like
> this:
> 
> $ mktemp foo.XXXXXXXXXXX
> 
> the file name is not sufficiently random.  There are 62 possibilities
> for each X, so one needs log2(62**11) random bits to generate a random
> 11-character value for the Xs, which is about 65.5 bits, but we are
> generating only 64 bits.  The more Xs, the more randomness is needed,
> so the bug gets more "serious" as the number of Xs grows.

Meanwhile, glibc's mkstemp() only replaces the last 6 X, regardless of
how many additional X are present in the template.  Do we even need the
extra randomness if the template contains more X?

-- 
Eric Blake   eblake <at> redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org


[signature.asc (application/pgp-signature, attachment)]
This bug report was last modified 13 years and 292 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.