You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/03/25 23:01:46 UTC

[Bug 54752] New: mod_ssl should not use uninitialized memory as random seed

https://issues.apache.org/bugzilla/show_bug.cgi?id=54752

            Bug ID: 54752
           Summary: mod_ssl should not use uninitialized memory as random
                    seed
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: sf@sfritsch.de
    Classification: Unclassified

mod_ssl's 'builtin' random seed uses uninitalized stack memory as random seed.
This is undefined behavior in C and can cause other seemingly unrelated code to
be optimized away. See
http://kqueue.org/blog/2012/06/25/more-randomness-or-less/ for an example.

Also the docs are wrong in that it claims that the scoreboard memory is used as
seed, which is not the case.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 54752] mod_ssl should not use uninitialized memory as random seed

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=54752

--- Comment #1 from Takashi Sato <ta...@lans-tv.com> ---
+1

I think today httpd should use apr random functions and should not have own
random functionality.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org