[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#64609: PGP5i may generate predictable keys - reads /dev/random incorrectly

retitle 64609 [HELP!] pgp5i /dev/random reading predictable, no longer builds from source

On Wed, May 24, 2000 at 03:18:18PM +0000, Rick Scott wrote:
> Package: pgp5i
> Version: 5.0-3
> Severity: grave
> (Version:  Upstream version 5.0i)
> The security flaw is described in detail at 
> http://cryptome.org/cipn052400.htm#pgp
> The code that reads data from /dev/random returns a stream of 
> 1's instead of random bytes, which can in some instances
> result in generation of predicatable keys.
> A one-line patch is available at the given URL.  The bug is
> apparently present only in PGP 5.0i - other version numbers
> and ports of 5.0 to platforms without a /dev/random device
> don't share it.

	The fix is simple, but there's a related problem.
	pgp5i won't build anymore, even without the change!

gcc -O -DUNIX=1  -Wall -W -Wshadow -Wpointer-arith -Wmissing-prototypes -Wwrite-strings -DHAVE_CONFIG_H -DPGPTRUSTMODEL=0 -DDEBUG=1 -DUNFINISHED_CODE_ALLOWED=0    -I../../../. -I../../.././include -I../include -I.      -c -o pgpRndPool.o pgpRndPool.c
pgpRndPool.c: In function `pgpRandPoolAddEntropy':
pgpRndPool.c:339: Invalid `asm' statement:
pgpRndPool.c:339: fixed or forbidden register 0 (ax) was spilled for class AREG.

	Anyone knowledgeable enough please help. Otherwise
	I am going to ask for the release manager to remove
	pgp5i from potato _and_ woody -- I think GnuPG can
	do all it can.

unix, linux, debian, networks, security, | A file that big?
kernel, TCP/IP, C, perl, free software,  | It might be very useful.
mail, www, sw devel, unix admin, hacks.  | But now it is gone.

Reply to: