Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xdp_mkstempat uses extremely poor PRNG #243

Closed
setharnold opened this issue Nov 2, 2018 · 3 comments
Closed

xdp_mkstempat uses extremely poor PRNG #243

setharnold opened this issue Nov 2, 2018 · 3 comments
Labels
help wanted

Comments

@setharnold
Copy link

xdg-desktop-portal/src/xdp-utils.c

Line 69 in d4a92e0

/* Get some more or less random data. */

Hello,

I noticed that xdp_mkstempat() uses a really poor PRNG. Since the mkstemp() family of functions is used primarily for generating filenames that are extremely difficult for an attacker to collide, I believe this function should be using a significantly stronger RNG, preferably getrandom(2) if new-enough Linux is the target OS, or /dev/urandom if new-enough unix-alike is the target OS.

Thanks
@matthiasclasen
Copy link
Contributor

I don't think it matters here.

@matthiasclasen
Copy link
Contributor

Fixing this should probably start at the source - this code is more or less copied from glib, which is more or less copied from glibc...

@GeorgesStavracas GeorgesStavracas moved this to Needs Triage in Triage Oct 2, 2023
@GeorgesStavracas
Copy link
Member

Seems like not to be under anyone's radar. As Matthias mentions, it's just copying other more security sensitive places.

@GeorgesStavracas GeorgesStavracas closed this as not planned Won't fix, can't repro, duplicate, stale Oct 6, 2023
@github-project-automation github-project-automation bot moved this from Needs Triage to Triaged in Triage Oct 6, 2023
agx pushed a commit to agx/xdg-desktop-portal that referenced this issue Dec 20, 2023
@AsciiWolf @matthiasclasen
Update Czech translation (flatpak#243)
a2b7cb3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
Triage
Status: Triaged
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GeorgesStavracas @matthiasclasen @setharnold