Bug#865297: libgnutls-deb0-28: Check for /dev/urandom validity broken

Dan Nicholson nicholson at endlessm.com
Tue Jun 20 11:40:02 UTC 2017


Package: libgnutls-deb0-28
Version: 3.3.8-6+deb8u6
Severity: normal

If the application closes open files during startup (e.g., a daemon),
it may close the file that gnutls has open for /dev/urandom. The
recommended way to handle this situation is to call
gnutls_global_init() again. This will check if the fd for /dev/urandom
is still valid and re-open it if not.

Unfortunately, the way that the /dev/urandom fd is checked is not
reliable. It only checks the mode, which might be the same if the
application reused the fd for another character device with the same
permissions (e.g., /dev/null).

A fix for this was recently backported to the gnutls_3_3_x branch:

https://gitlab.com/gnutls/gnutls/commit/5006914fda50f25807451a03616cdf2e7be0268f

It would be great if this could be included in jessie as otherwise
calling gnutls_global_init() a 2nd time is unreliable. If it helps, I
can prepare a patch for the gnutls28 package, but I wasn't quite sure
about the patch naming conventions there.

Thanks,

--
Dan Nicholson  |  +1.206.437.0833  |  Endless



More information about the Pkg-gnutls-maint mailing list