ntpkeygen CVE-2021-22212 Follow-Up

Richard Laager rlaager at wiktel.com
Thu Jun 17 06:23:02 UTC 2021


In the course of looking at the fix (fc50a701fa) for CVE-2021-22212, I 
found a couple of things that I think are worth mentioning...

The specific change is trivial, changing the starting point of the range
from 0x21 (!) to 0x24 ($).  This avoids 0x23 (#).  However, it differs 
from the pre-bug version of this code in that it will not output 0x21 
(!) or 0x22 (") either.

I see that the pre-bug version used random.randint(0x21, 0x7e) which is 
inclusive on the upper end, while the new code uses 0x2[14] + 
secrets.randbelow(0x5d) which is exclusive on the upper end. Thus, the 
new code (both prior to and after the fix for this CVE) will no longer 
use 0x7e (~). This is arguably a bug: the behavior differs between the 
Python 3 / secrets and Python 2 / random versions for seemingly 
unintentional reasons.

Both of these slightly reduce the entropy, but I'm not sure how much it 
matters:

Pre-bug: [0x21, 0x7e] excluding 0x23 => 0x5d choices per char

Bug:     [0x21, 0x7e) aka            => 0x5d choices per char
          [0x21, 0x7d]

Now:     [0x24, 0x7e) aka            => 0x5a choices per char
          [0x24, 0x7d]

-- 
Richard


More information about the devel mailing list