← Back to team overview

desktop-packages team mailing list archive

[Bug 983810] Re: libxml2 security update fails to address problem and breaks thread-safety


This made it's way into Ubuntu LTS. This is becoming a trend with broken

You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxml2 in Ubuntu.

  libxml2 security update fails to address problem and breaks thread-

Status in libxml2:
Status in “libxml2” package in Ubuntu:
Status in “libxml2” package in Debian:

Bug description:
  Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10.

  In an attempt to address oCERT 2011-003, libxml2 now seeds its hash
  table with using rand(). This is broken and lame:

  Firstly, srand() and rand() are not thread-safe, even though libxml2
  is supposed to be thread-safe (when adequately initialized by the
  program). The fix is easy: replace srand() with a variable assignment,
  and replace rand() with rand_r().

  Secondly, using time(NULL) as a seed totally misses the point. It is
  trivial for a potential attacker to guess the value of time(NULL).
  That's the current UTC current time rounded to the second.

To manage notifications about this bug go to: