concerning 760476

Nikos Mavrogiannopoulos nmav at gnutls.org
Tue Oct 28 09:59:41 UTC 2014


Hello,
 I think that the bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760476

is more serious than it seems. By cups closing gnutls' /dev/urandom
descriptor it makes gnutls to read from whatever file is open and has
the same descriptor number in order to fill its random pool. In the
reported case we were lucky that the descriptor didn't allow read and
the issue was detected. 

I think that the issue should be reassigned to cups and it should be
modified to close the known file descriptors (stdin/stdout/stderr)
instead of all open descriptors.

regards,
Nikos

PS. That issue helped uncover an unnecessary early refresh of
gnutls' random state, but applying this patch [0] would only postpone
the issue for few hours (until the state needs to be refreshed again).
[0].
https://gitorious.org/gnutls/gnutls/commit/a52184e8cddef9d812717db106334e0610b5438f






More information about the Pkg-gnutls-maint mailing list