Package: pidgin-otr Version: 3.1.0-1 Severity: critical Justification: breaks unrelated software
*** Please type your report below this line *** Steps to reproduce: 1) eat up all available entrophy: 1.1) dd if=/dev/random of=/dev/null& 1.2) assuming dd is your first job: kill -9 %1 2) Generate an OTR key using pidgin-otr. Behaviour: The key generation uses up all remaining entropy in /dev/random. The GUI does not react while generating the key, which can take forever. Expected behaviour: The random data is taken from /dev/urandom and the GUI does not block for more than a couple of seconds on a sufficiently fast PC. Impact and suggestions: On Systems with very slow entropy sources i.e. no disk activity and no user input pidgin may hang eternally. Also every other application, which requires entrophy from /dev/random will be blocked, while pidgin-otr eats up all available entropy. The usage of pidgin-otr regualrily reveals known plain text. It also relies on cryptographical functions which are not proven to be more secure than the random number generation used in /dev/urandom. Therefore I see no disadvantage in switching from /dev/random to /dev/urandom whenever /dev/urandom is available. As a workaround users can press some keys on their keyboard repetedly until enough entropy is generated. It took me about 1 minute to generate a key this way. This is very inconvenient to me since the one of my machines usually should have it's disk turned off, as well as no mouse and no keyboard connected. Also on systems which rely even on just a little available entropy in /dev/random it may lock up the whole system for quite some time. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages pidgin-otr depends on: ii libc6 2.7-10 GNU C Library: Shared libraries ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr ii libotr2 3.2.0-1 Off-the-Record Messaging library ii pidgin 2.4.2-2 graphical multi-protocol instant m pidgin-otr recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
