Re: Bug#64609: PGP5i may generate predictable keys - reads /dev/random incorrectly
retitle 64609 [HELP!] pgp5i /dev/random reading predictable, no longer builds from source
On Wed, May 24, 2000 at 03:18:18PM +0000, Rick Scott wrote:
> Package: pgp5i
> Version: 5.0-3
> Severity: grave
> (Version: Upstream version 5.0i)
> The security flaw is described in detail at
> The code that reads data from /dev/random returns a stream of
> 1's instead of random bytes, which can in some instances
> result in generation of predicatable keys.
> A one-line patch is available at the given URL. The bug is
> apparently present only in PGP 5.0i - other version numbers
> and ports of 5.0 to platforms without a /dev/random device
> don't share it.
The fix is simple, but there's a related problem.
pgp5i won't build anymore, even without the change!
gcc -O -DUNIX=1 -Wall -W -Wshadow -Wpointer-arith -Wmissing-prototypes -Wwrite-strings -DHAVE_CONFIG_H -DPGPTRUSTMODEL=0 -DDEBUG=1 -DUNFINISHED_CODE_ALLOWED=0 -I../../../. -I../../.././include -I../include -I. -c -o pgpRndPool.o pgpRndPool.c
pgpRndPool.c: In function `pgpRandPoolAddEntropy':
pgpRndPool.c:339: Invalid `asm' statement:
pgpRndPool.c:339: fixed or forbidden register 0 (ax) was spilled for class AREG.
Anyone knowledgeable enough please help. Otherwise
I am going to ask for the release manager to remove
pgp5i from potato _and_ woody -- I think GnuPG can
do all it can.
unix, linux, debian, networks, security, | A file that big?
kernel, TCP/IP, C, perl, free software, | It might be very useful.
mail, www, sw devel, unix admin, hacks. | But now it is gone.