This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/15813] Multiple issues in __gen_tempname
- From: "neleai at seznam dot cz" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 11 Oct 2013 21:25:16 +0000
- Subject: [Bug libc/15813] Multiple issues in __gen_tempname
- Auto-submitted: auto-generated
- References: <bug-15813-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=15813
Ondrej Bilka <neleai at seznam dot cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |neleai at seznam dot cz
Severity|normal |enhancement
--- Comment #1 from Ondrej Bilka <neleai at seznam dot cz> ---
I do not see how could attacker use __gen_tempname weakness, worst he could do
is dos/ cause mkxtemp to fail which should be handled correctly. If you want
this fixed write a patch.
keeping value is more entropic than calculating anew as entropy of sum of
uncorrelated variables is at least maximum of entropies of variables. Without
that we would call clock_gettime twice in quick succession which has almost
same entropy as calling it once.
As __gen_tempname call does disk access we can affort on linux just read 64bits
from /dev/urandom.
If attacker can guess that we have bigger worries than temporary files.
--
You are receiving this mail because:
You are on the CC list for the bug.