New submission from Christian Heimes: A couple of reports and check-in messages like
Postgres / pgcrypto CVE-2013-1900 http://bugs.ruby-lang.org/issues/4579 http://www.exim.org/lurker/message/20130402.171710.92f14a60.fi.html suggests that OpenSSL's PRNG should be reset or re-seeded after fork(). Otherwise child processes can generate the same or similar pseudo random values. Python doesn't have an API to run code before and after fork yet. The patch uses pthread_atfork() for the task. It's available on all pthread platforms -- which are all official supported platforms that have fork(), too. The patch doesn't use RAND_cleanup() like Postgres because child process would hav to initial the PRNG again by opening and reading from /dev/urandom. The atfork prepare hook pulls from random bytes from the PRNG and stores them in a static buffer. The child handler seeds the PRNG from that buffer + pid + current time. PID and current time are mixed into the state to extenuate race conditions. ---------- components: Extension Modules files: openssl_prng_atfork.patch keywords: patch messages: 195247 nosy: christian.heimes, haypo priority: normal severity: normal stage: patch review status: open title: Re-seed OpenSSL's PRNG after fork type: security versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 Added file: http://bugs.python.org/file31300/openssl_prng_atfork.patch _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18747> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
