[issue9123] insecure os.urandom on VMS

2012-05-01 Thread Martin v . Löwis
Martin v. Löwis added the comment: I'm closing this as "won't fix". Unless somebody is able to report that they actually tested the proposed change successfully, there is no point in adding it. Most likely, Python won't even build on VMS, in which case this is not a security issue at all. --

[issue9123] insecure os.urandom on VMS

2012-04-13 Thread STINNER Victor
STINNER Victor added the comment: -if (RAND_pseudo_bytes((unsigned char*) +if (RAND_bytes((unsigned char*) This is not a good idea: RAND_bytes() is blocking, whereas os.urandom() doesn't block on other platforms. os.urandom() is similar to /dev/urandom (non blocking), whereas

[issue9123] insecure os.urandom on VMS

2012-04-13 Thread STINNER Victor
STINNER Victor added the comment: > This issue is a security vulnerability. I disagree, it's just an issue of a comment in the C code. The Python documentation doesn't guarantee that os.urandom() is cryptographic. Use ssl.RAND_bytes(), added to Python 3.3, if you need cryptographic random nu

[issue9123] insecure os.urandom on VMS

2012-04-13 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- nosy: +haypo stage: -> patch review versions: +Python 3.3 ___ Python tracker ___ ___ Python-bugs-list m

[issue9123] insecure os.urandom on VMS

2012-04-12 Thread Adi Roiban
Changes by Adi Roiban : -- nosy: +adiroiban ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.o

[issue9123] insecure os.urandom on VMS

2010-06-30 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- components: +Library (Lib) nosy: +loewis type: -> security versions: +Python 2.6, Python 2.7, Python 3.1, Python 3.2 ___ Python tracker ___ ___

[issue9123] insecure os.urandom on VMS

2010-06-29 Thread Zooko O'Whielacronx
Zooko O'Whielacronx added the comment: This issue is a security vulnerability. -- ___ Python tracker ___ ___ Python-bugs-list mailing

[issue9123] insecure os.urandom on VMS

2010-06-29 Thread Zooko O'Whielacronx
Zooko O'Whielacronx added the comment: HACK Zooko-Ofsimplegeos-MacBook-Pro:~/playground/python/release27-trunk$ svn diff Index: Modules/posixmodule.c === --- Modules/posixmodule.c (revision 82382) +++ Modules/posixmodule.c

[issue9123] insecure os.urandom on VMS

2010-06-29 Thread Zooko O'Whielacronx
New submission from Zooko O'Whielacronx : os.urandom() on VMS invokes OpenSSL's RAND_pseudo_bytes(). That is documented on: http://www.openssl.org/docs/crypto/RAND_bytes.html as being predictable and therefore unsuitable for many cryptographic purposes. This is inconsistent with the documenta