Bugzilla – Bug 815650
VUL-1: libxdmcp insufficient randomness
Last modified: 2017-07-14 10:34:52 UTC
I am sorry, but it seems a lot of ppl mess with X these days...
(The patch was inlined in the mail)
Date: Wed, 17 Apr 2013
From: Matthieu Herrb
Someone in OpenBSD doing a 64 bit time_t audit found this (I hope the
patch is self-explaining).
Should it just be sent to the devel list or is it a big enough risk to
go through an embargo period first ?
Fixing the issue for systems without arc4random() is left as an
RCS file: /cvs/xenocara/lib/libXdmcp/Key.c,v
retrieving revision 1.1
diff -u -r1.1 Key.c
--- Key.c 11 Nov 2010 10:14:40 -0000 1.1
+++ Key.c 17 Apr 2013 08:41:51 -0000
@@ -61,9 +61,14 @@
long lowbits, highbits;
srandom ((int)getpid() ^ time((Time_t *)0));
lowbits = random ();
highbits = random ();
+ lowbits = arc4random();
+ highbits = arc4random();
getbits (lowbits, key->data);
getbits (highbits, key->data + 4);
RCS file: /cvs/xenocara/lib/libXdmcp/configure.ac,v
retrieving revision 1.4
diff -u -r1.4 configure.ac
--- configure.ac 10 Mar 2012 13:58:12 -0000 1.4
+++ configure.ac 17 Apr 2013 08:41:51 -0000
@@ -53,7 +53,7 @@
# Checks for library functions.
+AC_CHECK_FUNCS([srand48 lrand48 arc4random])
# Obtain compiler/linker options for depedencies
xorg-security mailing list
Hmm. Still no fix committed to git.
Any news to that one?
Still no commit in git. Is it still being discussed upstream or can we close this one?
re-setting to VUL-1, so it can be added to next regular
update. (I have not seen more discussion on that topic on
the list, seems upstream forgot about it)
Well, feel free to reassign back to me, once you received an official patch or at least any news on that one. Thanks.
independend research has also found this, it is now fixed via bug 1025046
*** This bug has been marked as a duplicate of bug 1025046 ***