Hey Paul, On Sun, Aug 19, 2018 at 08:07:37AM +0200, Paul Gevers wrote:
Hi Vincent,On 18-08-18 17:49, Vincent Blut wrote:Linux 4.16 fixed CVE-2018-1108 by making the getrandom system call (without GRND_NONBLOCK) block if insufficient entropy is available. This causes applications to hang. Maybe this is the reason.Absolutely Paul, this is the root cause of our issue. I pushed a fix¹ on salsa (plus a few more things), that would be great if you could upload that.Do you know if this issue is going to appear in stretch as well? Is CVE-2018-1108 going to be fixed there?
We should be safe. Stretch has been released with chrony 3.0 which does not use getrandom(2) nor does it try to call this system call through syscall(2). getrandom(2) usage appeared in chrony 3.2.
Build and uploading now.
Awesome, thanks a lot!
Paul
Have a good day, Vincent
signature.asc
Description: PGP signature