Date: Thu, 09 Apr 2015 14:45:27 +0200 From: Martin Prpic <mprpic@...hat.com> To: "oss-security\@lists.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE request: ntp-keygen may generate non-random symmetric keys on big-endian systems Hi, the recent NTP update (ntp-4.2.8p2) contains a fix for the following issue: * [Bug 2797] ntp-keygen trapped in endless loop for MD5 keys on big-endian machines. https://bugs.ntp.org/show_bug.cgi?id=2797 Patch: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=55199296N2gFqH1Hm5GOnhrk9Ypygg While the endless loop is not a security flaw per se, the fact that ntp-keygen generates non-random keys is. If the lowest byte of the temp variable happens to be between 0x20 and 0x7f and not #, the generated MD5 key will consist of 20 identical characters, meaning only 93 possible keys can be generated. Can a CVE be please assigned for this issue? Thank you! -- Martin Prpič / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.