Bug #51436 [Com]: LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs

Fri, 09 Apr 2010 08:51:23 -0700 

Edit report at http://bugs.php.net/bug.php?id=51436&edit=1

 ID:               51436
 Comment by:       crrodriguez at opensuse dot org
 Reported by:      andreas at andreas dot org
 Summary:          LCG entropy fix insufficient, uniqid leaks entropy,
                   leads to weak session IDs
 Status:           Assigned
 Type:             Bug
 Package:          *Encryption and hash functions
 Operating System: all
 PHP Version:      5.3.2
 Assigned To:      pajoye

 New Comment:

I think uniqid() should also use zend_mm_random()-like random value when


more_entropy is set to true instead of the LCG ...


Previous Comments:
------------------------------------------------------------------------
[2010-04-07 17:44:16] paj...@php.net

And assigned to me, almost done with the patch we discussed.

------------------------------------------------------------------------
[2010-04-07 17:43:49] paj...@php.net

Well, the easiest to "backport" something now and here is to use the
given settings. You can do it right now.

------------------------------------------------------------------------
[2010-04-07 17:21:47] andreas at andreas dot org

I strongly suggest backporting.  Also, the fact that uniqid() values are
predictable too needs addressing.

------------------------------------------------------------------------
[2010-03-31 20:30:53] ras...@php.net

I have switched the default in trunk to either /dev/urandom or
/dev/arandom if it 

exists.  We actually already had a check for it in Zend for the
zend_mm_random() 

function,  Whether we backport this to 5.3 or just improve the
documentation for 

that setting is up to Johannes, I think.

------------------------------------------------------------------------
[2010-03-31 20:03:18] ras...@php.net

Automatic comment from SVN on behalf of rasmus
Revision: http://svn.php.net/viewvc/?view=revision&revision=297232
Log: Set session.entropy_file to /dev/urandom or /dev/arandom by
default if present at compile-time.  Addresses part of bug #51436

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    http://bugs.php.net/bug.php?id=51436


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=51436&edit=1

Reply via email to