[Bug 54752] New: mod_ssl should not use uninitialized memory as random seed

bugzilla Mon, 25 Mar 2013 15:02:15 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=54752


            Bug ID: 54752
           Summary: mod_ssl should not use uninitialized memory as random
                    seed
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [email protected]
          Reporter: [email protected]
    Classification: Unclassified

mod_ssl's 'builtin' random seed uses uninitalized stack memory as random seed.
This is undefined behavior in C and can cause other seemingly unrelated code to
be optimized away. See
http://kqueue.org/blog/2012/06/25/more-randomness-or-less/ for an example.

Also the docs are wrong in that it claims that the scoreboard memory is used as
seed, which is not the case.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 54752] New: mod_ssl should not use uninitialized memory as random seed

Reply via email to