On 04/ 4/17 10:12 AM, Benjamin Tissoires wrote:
This allows to fix CVE-2017-2626 on Linux platforms without pulling in
libbsd.
The libc getentropy() is available since glibc 2.25 but also on OpenBSD.
For Linux, we need at least a v3.17 kernel. If the recommended
arc4random_buf() function is not available, emulate it by first trying
to use getentropy() on a supported glibc and kernel. If the call fails,
fall back to the current (partly vulnerable) code.
Signed-off-by: Benjamin Tissoires <[email protected]>
---
changes in v2:
- use the getentropy() from glibc, not the plain syscall
- make it clear that arc4random_buf() should be preferred and that we
are only adding band-aids on top of the missing function
Reviewed-by: Alan Coopersmith <[email protected]>
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - http://blogs.oracle.com/alanc
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel
