From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Richard Copley Newsgroups: gmane.emacs.bugs Subject: bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems Date: Wed, 30 Dec 2015 20:56:03 +0000 Message-ID: References: <83lh8ddy45.fsf@gnu.org> <8760zh81oo.fsf@isaac.fritz.box> <83mvssc4ix.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Trace: ger.gmane.org 1451509047 31088 80.91.229.3 (30 Dec 2015 20:57:27 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 30 Dec 2015 20:57:27 +0000 (UTC) Cc: 22202@debbugs.gnu.org, Demetri Obenour , David Engster To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Wed Dec 30 21:57:16 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1aENo2-0003Yk-TR for geb-bug-gnu-emacs@m.gmane.org; Wed, 30 Dec 2015 21:57:15 +0100 Original-Received: from localhost ([::1]:53755 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aENo2-0007LO-Bs for geb-bug-gnu-emacs@m.gmane.org; Wed, 30 Dec 2015 15:57:14 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:55534) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aENny-0007L5-LJ for bug-gnu-emacs@gnu.org; Wed, 30 Dec 2015 15:57:11 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aENnv-0004hY-GO for bug-gnu-emacs@gnu.org; Wed, 30 Dec 2015 15:57:10 -0500 Original-Received: from debbugs.gnu.org ([208.118.235.43]:43085) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aENnv-0004hU-D9 for bug-gnu-emacs@gnu.org; Wed, 30 Dec 2015 15:57:07 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1aENnq-0008R3-Ec for bug-gnu-emacs@gnu.org; Wed, 30 Dec 2015 15:57:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Richard Copley Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 30 Dec 2015 20:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 22202 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 22202-submit@debbugs.gnu.org id=B22202.145150897032356 (code B ref 22202); Wed, 30 Dec 2015 20:57:02 +0000 Original-Received: (at 22202) by debbugs.gnu.org; 30 Dec 2015 20:56:10 +0000 Original-Received: from localhost ([127.0.0.1]:50687 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aENn0-0008Po-Ch for submit@debbugs.gnu.org; Wed, 30 Dec 2015 15:56:10 -0500 Original-Received: from mail-yk0-f180.google.com ([209.85.160.180]:33245) by debbugs.gnu.org with esmtp (Exim 4.84) (envelope-from ) id 1aENmy-0008PV-QQ for 22202@debbugs.gnu.org; Wed, 30 Dec 2015 15:56:09 -0500 Original-Received: by mail-yk0-f180.google.com with SMTP id k129so142828141yke.0 for <22202@debbugs.gnu.org>; Wed, 30 Dec 2015 12:56:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=k5R9y0pxZupCEI5YfNr6qgn7h2tUVFSaqT2qijzvHJU=; b=m8mjRanTbLsL/1XvoG3w7m3NhhdCP7YD1efrg6tf1B0gbyJ/o7PlSI3QTrVoJCDA0D SV+F5E5qsw9ISiB2JuMW9aR8X03QIVS2vVDbStd4vqsUzSKQ12c6BAiXf6VvQlcKFdfV li+HY4/yJjT6Ym8W7JeasvHDPF4HOH1qWHWYxjBSpZkcit0LhwYjbI8oOMQY3yjuomE/ aL6NrpYx2iWMcFmJSOVa/mt/ikmKq/iNi0+JN6wvF3vDA0GfWWQKTEP31MSb9lODgqFj NYDQlks5NUEd2mt+zAUAt2+YPmK4iM8CuQmmADlBXr2F76sThrUhMsrO7myg+NHAh2yZ alhA== X-Received: by 10.13.246.130 with SMTP id g124mr49693012ywf.29.1451508963303; Wed, 30 Dec 2015 12:56:03 -0800 (PST) Original-Received: by 10.37.207.214 with HTTP; Wed, 30 Dec 2015 12:56:03 -0800 (PST) In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:111049 Archived-At: Ah, I forgot to mention one other thing that had occurred to me. It might not be a good idea to pass the current time to CryptGenRandom for the optional initial seed. The current time (in various forms) is already used as seed entropy by the system, and it's conceivable (though implausible) that we could be destroying entropy by doing this. It's probably better (and "acceptable" according to the documentation) not to pass any seed at all.