[PATCH libXdmcp v2] Use getentropy() if arc4random_buf() is not available

Alan Coopersmith alan.coopersmith at oracle.com
Sun Apr 23 00:46:59 UTC 2017


On 04/ 4/17 10:13 AM, Benjamin Tissoires wrote:
> This allows to fix CVE-2017-2625 on Linux platforms without pulling in
> libbsd.
> The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
> For Linux, we need at least a v3.17 kernel. If the recommended
> arc4random_buf() function is not available, emulate it by first trying
> to use getentropy() on a supported glibc and kernel. If the call fails,
> fall back to the current (vulnerable) code.
>
> Signed-off-by: Benjamin Tissoires <benjamin.tissoires at gmail.com>

Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>


-- 
	-Alan Coopersmith-              alan.coopersmith at oracle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc


More information about the xorg-devel mailing list