This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[RFU] gnupg-1.4.9-2


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since nobody has answered my mail (see below), I have decided to treat this possible security issue seriously and not to use /dev/random anymore in the future gnupg releases.

Port Notes:
- ----- version 1.4.9-2 -----
* gnupg does not use /dev/random anymore but the builtin entropy gatherer for
  W32 (rndw32.c). Possible security issue, see:
  http://en.wikipedia.org/w/index.php?title=CryptGenRandom&oldid=190115987

Package location:
=================
wget \
  http://home.arcor.de/thuffir/cygwin/gnupg/gnupg-1.4.9-2-src.tar.bz2 \
  http://home.arcor.de/thuffir/cygwin/gnupg/gnupg-1.4.9-2.tar.bz2

Signatures:
===========
wget \
  http://home.arcor.de/thuffir/cygwin/gnupg/gnupg-1.4.9-2-src.tar.bz2.sig \
  http://home.arcor.de/thuffir/cygwin/gnupg/gnupg-1.4.9-2.tar.bz2.sig; \
gpg --keyserver subkeys.pgp.net --recv-keys FD65117B 1CE0C630; \
gpg --verify gnupg-1.4.9-2-src.tar.bz2.sig; \
gpg --verify gnupg-1.4.9-2.tar.bz2.sig

Build:
======
mkdir gnupg-1.4.9-2-build; \
cd gnupg-1.4.9-2-build; \
tar xjvf ../gnupg-1.4.9-2-src.tar.bz2; \
cygport gnupg-1.4.9-2 all

Cheers
Gergely Budai


> -----Original Message-----
> From: cygwin-apps
> On Behalf Of Gergely Budai
> Sent: Freitag, 28. März 2008 17:51
> To: cygwin-apps
> Subject: gnupg and /dev/random
> 
> 
> Dear Community!
> 
> It appears to me that gnupg has always been using /dev/random 
> on cygwin since it's first release (1.0.7-1). AFAIK cygwin is using
> CryptGenRandom() for this device. According to Wikipedia, 
> several "significant weaknesses" had been found recently in 
> the Windows
> 2000 and XP implementation of that function. According to 
> that same Wikipedia article, Microsoft is planning to fix 
> that bug with
> the release of SP3 for XP, but not planning (at least did not 
> tell to do so) to fix it for Windows 2000.
> 
> Since the presence of a strong cryptographical random 
> function is the prerequisite of cryptography and some of us 
> are sill going to
> use Cygwin on Windows 2000 in the future, my question is the 
> following:
> Would not it be better to configure the future gnupg cygwin 
> releases not to use /dev/random, but the builtin and specially for
> windows developped randomness entropy gatherer (rndw32.c)?
> 
> Looking forward to your kind oppinions,
> Gergely Budai
> 
> Sources:
> http://en.wikipedia.org/wiki/CryptGenRandom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)

iEYEARECAAYFAkf1DPwACgkQ15iwsP1lEXveWwCfdP6tjFvXDm58C+yQWpmmgcAf
KK4An1Zy+UrnbigkIUeusKkYa1ktUdxk
=G9Zb
-----END PGP SIGNATURE-----


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]