tags 489523 help moreinfo thanks Hi
I'm not sure this is an actual bug in pidgin-otr (nor libotr, for that matter). AFAICT (but I don't know the code that much), it uses libgcrypt's keygen procedures... I'm CC'ing OTR upstream to get some feedback there. Thanks Thibaut On Sun, Jul 6, 2008 at 5:01 PM, Johannes Langauf <[EMAIL PROTECTED]> wrote: > Package: pidgin-otr > Version: 3.1.0-1 > Severity: critical > Justification: breaks unrelated software > > *** Please type your report below this line *** > Steps to reproduce: > 1) eat up all available entrophy: > 1.1) dd if=/dev/random of=/dev/null& > 1.2) assuming dd is your first job: kill -9 %1 > 2) Generate an OTR key using pidgin-otr. > > Behaviour: > The key generation uses up all remaining entropy in /dev/random. The GUI > does not react while generating the key, which can take forever. > > Expected behaviour: > The random data is taken from /dev/urandom and the GUI does not block > for more than a couple of seconds on a sufficiently fast PC. > > Impact and suggestions: > On Systems with very slow entropy sources i.e. no disk activity and no > user input pidgin may hang eternally. Also every other application, > which requires entrophy from /dev/random will be blocked, while > pidgin-otr eats up all available entropy. > > The usage of pidgin-otr regualrily reveals known plain text. It also > relies on cryptographical functions which are not proven to be more > secure than the random number generation used in /dev/urandom. Therefore > I see no disadvantage in switching from /dev/random to /dev/urandom > whenever /dev/urandom is available. > > As a workaround users can press some keys on their keyboard repetedly > until enough entropy is generated. It took me about 1 minute to generate > a key this way. > > This is very inconvenient to me since the one of my machines usually > should have it's disk turned off, as well as no mouse and no keyboard > connected. Also on systems which rely even on just a little available > entropy in /dev/random it may lock up the whole system for quite some > time. > > -- System Information: > Debian Release: lenny/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: i386 (i686) > > Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages pidgin-otr depends on: > ii libc6 2.7-10 GNU C Library: Shared > libraries > ii libgcrypt11 1.4.1-1 LGPL Crypto library - > runtime libr > ii libotr2 3.2.0-1 Off-the-Record Messaging > library > ii pidgin 2.4.2-2 graphical multi-protocol > instant m > > pidgin-otr recommends no packages. > > -- no debconf information > > > > > -- Thibaut VARENE http://www.parisc-linux.org/~varenet/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
