Hi!
Does jabberd2 work after is re-compiled with 12.04?
Anyway, I suspect you blame the following expat's function:
static unsigned long
generate_hash_secret_salt(void)
{
unsigned int seed = time(NULL) % UINT_MAX;
srand(seed);
return rand();
}
It is called once (per parser instance) with quite random value based on
current time.
That's the mostly recommended way to initialize pseudo-random generator
as far as I remember
so it looks safe for me.
BR, Eugene Agafonov.
On 06/15/2012 02:51 PM, Christof Meerwald wrote:
Hi,
just upgraded my server from Ubuntu 10.04 to 12.04 and noticed that
jabberd2 stopped working.
I finally tracked it down to the expat library which now contains a
"fix" for CVE-2012-0876. This fix tries to add some randomisation to
expat's own hash tables, but by doing so fiddles with srand and
thereby makes the random ids generated by jabberd2 much less random.
One way around this is by using the new function XML_SetHashSalt just
after creating an XML parser...
Christof
