Bug 815650

Summary: VUL-1: libxdmcp insufficient randomness
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED DUPLICATE QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:planned:update
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2013-04-17 11:52:00 UTC
I am sorry, but it seems a lot of ppl mess with X these days...
(The patch was inlined in the mail)


Date: Wed, 17 Apr 2013
From: Matthieu Herrb
To: xorg-security


Someone in OpenBSD doing a 64 bit time_t audit found this (I hope the
patch is self-explaining).

Should it just be sent to the devel list or is it a big enough risk to
go through an embargo period first ?

Fixing the issue for systems without arc4random() is left as an
exercise too..

Index: Key.c
RCS file: /cvs/xenocara/lib/libXdmcp/Key.c,v
retrieving revision 1.1
diff -u -r1.1 Key.c
--- Key.c       11 Nov 2010 10:14:40 -0000      1.1
+++ Key.c       17 Apr 2013 08:41:51 -0000
@@ -61,9 +61,14 @@
     long    lowbits, highbits;

     srandom ((int)getpid() ^ time((Time_t *)0));
     lowbits = random ();
     highbits = random ();
+    lowbits = arc4random();
+    highbits = arc4random();
     getbits (lowbits, key->data);
     getbits (highbits, key->data + 4);
Index: configure.ac
RCS file: /cvs/xenocara/lib/libXdmcp/configure.ac,v
retrieving revision 1.4
diff -u -r1.4 configure.ac
--- configure.ac        10 Mar 2012 13:58:12 -0000      1.4
+++ configure.ac        17 Apr 2013 08:41:51 -0000
@@ -53,7 +53,7 @@

 # Checks for library functions.
-AC_CHECK_FUNCS([srand48 lrand48])
+AC_CHECK_FUNCS([srand48 lrand48 arc4random])

 # Obtain compiler/linker options for depedencies

Matthieu Herrb
xorg-security mailing list
Comment 2 Stefan Dirsch 2013-06-19 05:58:21 UTC
Hmm. Still no fix committed to git.
Comment 3 Stefan Dirsch 2013-06-20 07:39:30 UTC
Any news to that one?
Comment 4 Stefan Dirsch 2013-07-16 12:47:27 UTC
Still no commit in git. Is it still being discussed upstream or can we close this one?
Comment 5 Sebastian Krahmer 2013-07-16 13:50:12 UTC
re-setting to VUL-1, so it can be added to next regular
update. (I have not seen more discussion on that topic on
the list, seems upstream forgot about it)
Comment 6 Stefan Dirsch 2013-07-30 07:54:46 UTC
Well, feel free to reassign back to me, once you received an official patch or at least any news on that one. Thanks.
Comment 7 Marcus Meissner 2017-07-14 10:34:52 UTC
independend research has also found this, it is now fixed via bug 1025046

*** This bug has been marked as a duplicate of bug 1025046 ***