paragonie/random_compat 1.* uses insecure CSPRNG (openssl_random_pseudo_bytes()) #146
Conversation
Uses insecure CSPRNG (openssl_random_pseudo_bytes())
the branch name has no meaning for the vulnerability database. It is here for readability of the YAML file. Affected versions are handled by constraints. |
| branches: | ||
| 1.x: | ||
| time: ~ | ||
| versions: ['^1.0'] |
There was a problem hiding this comment.
0.9 versions are also affected. so a better constraint would be <2.0
|
Hey @AndrewCarterUK, since this was reported as security issue here, should ramsey/uuid also be added? (Same problem) |
|
@Ocramius - I'm not sure on this one. I'm not sure where to draw the line between a bug and a security issue. ping @ramsey - would be interested to hear your opinion? My opinion: Technically, UUIDs have no requirement to be cryptographically secure, and I can't see any promise of that on the repository page. However, could the fact that it produces collisions be abused? Possibly. Could most bugs potentially be abused? Probably |
|
I was of the understand this was NOT a SECURITY bug, but was merely an OCD fix to be on the "safe side". |
|
That's why this was a 2.x release rather than 1.x. |
|
@GrahamCampbell is correct. It was a breaking change made for people who distrusted The difference between version 1 and 2 is: When no other CSPRNGs are available, version 1 falls back to openssl, version 2 throws an Exception. Most non-Windows servers will never experience this error. Windows users can use version 1 safely by ensuring they installed ext/mcrypt (for Encouraging people to use version 2 instead of version 1 is safer but using version 1 isn't inherently unsafe. |
|
@GrahamCampbell @paragonie-scott - If, in certain environments, forked processes that wrap to have the same PID as a previous one produce the same data, then the output is predictable and thus not cryptographically secure. (edit: removed explanation as you obviously know what it does) I understand that this is only a problem in certain scenarios, but "only a security issue in certain circumstances" is still a security issue. |
|
Right. Version 2 is always secure (or it fails loudly), version 1 is secure unless you're running an unreliable configuration (i.e. PHP 5 on Windows without ext/mcrypt or Linux with restrictive open_basedir). That does make it a security issue. That does not make it a security issue that affects everyone who uses version 1. I was just trying to make sure the scope was clarified. |
|
then, it would be good to have a place describing exactly the issue, and have this as the link in the advisory instead of linking to the original github issue (which will confuse people). |
|
@paragonie-scott - agreed, the next question is should affected versions of I'm leaning towards no, as UUID's don't have to be crypto strong, and I don't think this library advertises them like this. |
|
A duplicate UUID can cause a mess, fwiw.
|
That doesn't make it a security advisory though? |
|
Yeah, that makes it a security advisory. Generating duplicate data on
|
|
Section 4.4 of RFC 4122 (UUID) says:
This implies that a CSPRNG should be used, but they leave it ambiguous since they don't use the words SHOULD or MUST. Section 6 say:
This seems to imply that CSPRNGs aren't necessary. I will point out that RFC 4122 does not reference RFC 2119 ("Key words for use in RFCs to Indicate Requirement Levels") as most other RFCs do. |
AndrewCarterUK
changed the title
it is mainly a security issue of the setup instead of the library itself... The linked information in the advisory should |
|
Maybe the security advisory needs to be for |
This bug wont be fixed in versions 0.x, 1.x - so there is no fix time.
|
What do we do here? |
|
Doesn't seem like the world exploded, and people surely had time to upgrade by now. My suggestion:
|
|
I generally recommend libraries set their requirement string to If people use the Roave package to avoid security pitfalls, opting for version 2 makes sense. I'd say merge it, even if it's not a game over issue. |
paragonie/random_compat#96
TL;DR - In environments where the PHP process is forked,
openssl_random_psuedo_bytescan generate the same stream of values.There are other security issues that also caused @paragonie-scott concern.
Also I'm not sure what to do with the branch name, the vulnerability spans more than one branch and can best be described as "all versions 1.*? (edit - as @stof mentioned it's actually all versions <2 )