After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 674476 - libxml2 security update fails to address problem and breaks thread-safety
libxml2 security update fails to address problem and breaks thread-safety
Status: RESOLVED FIXED
Product: libxml2
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2012-04-20 15:31 UTC by James Strandboge
Modified: 2018-06-15 18:52 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description James Strandboge 2012-04-20 15:31:35 UTC 
This is forwarded from:

https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/983810

"In an attempt to address oCERT 2011-003, libxml2 now seeds its hash table with using rand(). This is broken and lame:

Firstly, srand() and rand() are not thread-safe, even though libxml2 is supposed to be thread-safe (when adequately initialized by the program). The fix is easy: replace srand() with a variable assignment, and replace rand() with rand_r().

Secondly, using time(NULL) as a seed totally misses the point. It is trivial for a potential attacker to guess the value of time(NULL). That's the current UTC current time rounded to the second."
Comment 1 André Klapper 2012-04-20 17:59:55 UTC 
For better understanding, this refers to http://git.gnome.org/browse/libxml2/commit/?id=8973d58b7498fa5100a876815476b81fd1a2412a
Comment 2 David Kilzer 2016-04-04 20:56:24 UTC 
According to the bugs.launchpad.net link, this was fixed by these two commits:

<https://git.gnome.org/browse/libxml2/commit?id=379ebc1d774865fa92f2a8d80cc4da65cbe19998>

Fixed by Bug 683933:
<https://git.gnome.org/browse/libxml2/commit?id=e7715a5963afebfb027120db6914926ec9a7373d>

I think this bug can be closed.
Comment 3 André Klapper 2018-06-15 18:52:46 UTC 
Closing per last comment.