This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[RFU] gnupg-1.4.9-2

Hash: SHA1

Since nobody has answered my mail (see below), I have decided to treat this possible security issue seriously and not to use /dev/random anymore in the future gnupg releases.

Port Notes:
- ----- version 1.4.9-2 -----
* gnupg does not use /dev/random anymore but the builtin entropy gatherer for
  W32 (rndw32.c). Possible security issue, see:

Package location:
wget \ \

wget \ \; \
gpg --keyserver --recv-keys FD65117B 1CE0C630; \
gpg --verify gnupg-1.4.9-2-src.tar.bz2.sig; \
gpg --verify gnupg-1.4.9-2.tar.bz2.sig

mkdir gnupg-1.4.9-2-build; \
cd gnupg-1.4.9-2-build; \
tar xjvf ../gnupg-1.4.9-2-src.tar.bz2; \
cygport gnupg-1.4.9-2 all

Gergely Budai

> -----Original Message-----
> From: cygwin-apps
> On Behalf Of Gergely Budai
> Sent: Freitag, 28. März 2008 17:51
> To: cygwin-apps
> Subject: gnupg and /dev/random
> Dear Community!
> It appears to me that gnupg has always been using /dev/random 
> on cygwin since it's first release (1.0.7-1). AFAIK cygwin is using
> CryptGenRandom() for this device. According to Wikipedia, 
> several "significant weaknesses" had been found recently in 
> the Windows
> 2000 and XP implementation of that function. According to 
> that same Wikipedia article, Microsoft is planning to fix 
> that bug with
> the release of SP3 for XP, but not planning (at least did not 
> tell to do so) to fix it for Windows 2000.
> Since the presence of a strong cryptographical random 
> function is the prerequisite of cryptography and some of us 
> are sill going to
> use Cygwin on Windows 2000 in the future, my question is the 
> following:
> Would not it be better to configure the future gnupg cygwin 
> releases not to use /dev/random, but the builtin and specially for
> windows developped randomness entropy gatherer (rndw32.c)?
> Looking forward to your kind oppinions,
> Gergely Budai
> Sources:
Version: GnuPG v1.4.8 (MingW32)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]