Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 6 Apr 2017 10:39:28 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: libxslt math.random issue

On Thu, Apr 06, 2017 at 10:32:45AM +0200, Hanno Böck wrote:
> Hi,
> 
> On Thu, 6 Apr 2017 07:44:00 +0200
> Marcus Meissner <meissner@...e.de> wrote:
> 
> > CVE-2015-9019 has been assigned to use of libexslt (in libxslt) usage
> > of "math.random" without initializing the randomseed.
> > 
> > https://bugzilla.gnome.org/show_bug.cgi?id=758400
> > https://bugzilla.suse.com/show_bug.cgi?id=934119
> 
> I have some questions and comments:
> 
> 1. What's the use of the random number and what's the security impact
> if it's not random? That's not explained
> In case of the bugreport.
> In case a cryptographically secure random number is required then using
> rand()/srand() is a bad idea anyway.
> (Unfortunately there's no secure random in the standard libc, but at
> least glibc now has getrandom.).


It is a bit tricky to find out. I googled some use-cases.

- UUID generation was looked for by 1 stackoverflow user
- some harmless randomness in XSLT conversion for selection random pictures

> 2. This part of the patch looks a bit strange:
> 
> +	seed = time(NULL); /* just in case /dev/urandom is not there */
> +	if (fd == -1) {
> +		read (fd, &seed, sizeof(seed));
> +		close (fd);
> +	}
> 
> You're calling time() unconditionally, although it's kinda just a
> fallback. Why not
> +	if (fd == -1) {
> +		read (fd, &seed, sizeof(seed));
> +		close (fd);
> +	} else {
> +		seed = time(NULL);
> +	}
> ?
> 
> (obviously using time is not a secure way to do random numbers, if
> secure numbers are required cross-plattform you need to do this
> otherwise anyway)

it should be fd != -1 , my bad :/

Ciaop, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ