desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #125154
[Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety
lucid has seen the end of its life and is no longer receiving any
updates. Marking the lucid task for this ticket as "Won't Fix".
** Changed in: libxml2 (Ubuntu Lucid)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxml2 in Ubuntu.
https://bugs.launchpad.net/bugs/983810
Title:
libxml2 security update fails to address problem and breaks thread-
safety
Status in libxml2:
New
Status in libxml2 package in Ubuntu:
Fix Released
Status in libxml2 source package in Lucid:
Won't Fix
Status in libxml2 source package in Precise:
Confirmed
Status in libxml2 source package in Trusty:
Fix Released
Status in libxml2 package in Debian:
New
Bug description:
Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10.
In an attempt to address oCERT 2011-003, libxml2 now seeds its hash
table with using rand(). This is broken and lame:
Firstly, srand() and rand() are not thread-safe, even though libxml2
is supposed to be thread-safe (when adequately initialized by the
program). The fix is easy: replace srand() with a variable assignment,
and replace rand() with rand_r().
Secondly, using time(NULL) as a seed totally misses the point. It is
trivial for a potential attacker to guess the value of time(NULL).
That's the current UTC current time rounded to the second.
To manage notifications about this bug go to:
https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions