flak rss random

timeline of libexpat random vulnerability

libexpat calls rand to obtain a secret hash salt. That’s not good. Actually, as far as vulnerabilities go, it’s pretty chickenshit, but perhaps there’s a lesson to be learned.

2012-03-24 - libexpat 2.1.0 released with a fix for an algorithmic hash table attack (CVE-2012-0876). It uses rand() seeded by srand(time(NULL)) to obtain a hash table salt.

2012-04-01 - libexpat 2.1.0 imported to OpenBSD. The rand calls are replaced with arc4random as spotted by deraadt and nicm. April Fools!

2012-04-05 - A public report that using random may be too predictable.

2013 - Tick tock.

2014 - Tick tock.

2015-02-07 - Redhat bug filed. The complaint is not that rand is a poor choice for secret salts, but that calling srand interferes with the proper malfunctioning of other rand consumers.

2016-06-04 - libexpat is the proud recipient of two more CVE awards. By sheer miraculous luck, OpenBSD is not susceptible. Users of other operating systems need not be alarmed as libexpat has been patched to use getpid as a source of entropy as well.

  const unsigned long entropy =
      gather_time_entropy() ^ getpid() ^ (unsigned long)parser;

Lesson to be learned? Sometimes bad things happen and there’s nothing we can do to prevent them. So it goes.

Posted 10 Jun 2016 05:40 by tedu Updated: 10 Jun 2016 05:40