Debian Bug report logs - #532521
predictable random number generator used in web browsers

Package: w3m; Maintainer for w3m is Tatsuya Kinoshita <tats@debian.org>; Source for w3m is src:w3m (PTS, buildd, popcon).

Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Date: Tue, 9 Jun 2009 19:18:01 UTC

Severity: normal

Tags: security

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>:
Bug#532514; Package webkit. (Tue, 09 Jun 2009 19:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org>. (Tue, 09 Jun 2009 19:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: predictable random number generator used in web browsers
Date: Tue, 9 Jun 2009 15:16:45 -0400
package: webkit
severity: serious
tags: security

hello,

it has been discovered that all of the major web browsers use a
predictable pseudo-random number generator (PRNG).  please see
reference [0]. the robust solution is to switch to a provably
unpredictable PRNG such as Blum Blum Shub [1,2].

[0] http://www.trusteer.com/temporary-user-tracking-in-major-browsers
[1] Lenore Blum, Manual Blum, and Michael Shub, "A Simple Unpredictable
Pseudo-Random Number Generator," SIAM Journal on Computing, volume 15,
pages 364-383, May 1986.
[2] http://rng.doesntexist.org/gmpbbs

Bug 532514 cloned as bug 532516. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 09 Jun 2009 19:30:06 GMT) (full text, mbox, link).

Bug 532514 cloned as bug 532517. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 09 Jun 2009 19:30:08 GMT) (full text, mbox, link).

Bug 532514 cloned as bug 532518. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 09 Jun 2009 19:30:09 GMT) (full text, mbox, link).

Bug 532514 cloned as bug 532519. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 09 Jun 2009 19:30:11 GMT) (full text, mbox, link).

Bug 532514 cloned as bug 532520. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 09 Jun 2009 19:30:13 GMT) (full text, mbox, link).

Bug 532514 cloned as bug 532521. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 09 Jun 2009 19:30:14 GMT) (full text, mbox, link).

Bug reassigned from package `webkit' to `w3m'. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 09 Jun 2009 19:30:22 GMT) (full text, mbox, link).

Severity set to `normal' from `serious' Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Thu, 25 Jun 2009 22:33:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jun 5 03:08:23 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.