|
From: | Richard Copley |
Subject: | bug#22202: 24.5; SECURITY ISSUE -- Emacs Server vulnerable to random number generator attack on Windows systems |
Date: | Thu, 31 Dec 2015 17:47:18 +0000 |
That last patch would still improve matters. The user would have to be publishing the output of their PRNG to begin with in order for the attacker to analyse it and guess the seed. (I don't know how one could do that but that's no proof that it's impossible.) What Demetri has just described is what I would do. (Sorry again that I can't assist with a patch.) + if (w32_crypto_hprov) + w32_init_crypt_random (); should be + if (! w32_crypto_hprov) + w32_init_crypt_random ();
[Prev in Thread] | Current Thread | [Next in Thread] |