A new important security update, release 0.3.1 is out! Please update if you’re been using the multiplier and version 0.3.0.
You’re only affected if you are: - using version 0.3.0 AND - using the multiplier AND - using a multiplier which is not a factor of four
Thanks to GitHub user wk3-org for the excellent and easily reproducable bug report.
The bug was introduced only in the last release 0.3.0, so if you are on 0.2.6, whether you’re using the multiplier or not, you’re fine.
However, the example configuration shows a multiplier of 10, so it was pretty easy to walk into the trap when you tried the multiplier. Also the CI tests which actually run dieharder tests with multipliers of 10/100/1000 and 10.000 did not catch this.
This seems like a good point to mention that you should not use the multiplier unless you really need it and know what you’re doing.
Basically, I forgot to adjust a buffer size after the libinfnoise refactoring. This led to repeating patterns on those multipliers (x%4!=0) as more data was read from the buffer than written to in that round (and the last bytes of previous loop-cycle were read twice).
Maybe it would make sense to simply not allow multipliers that result in uneven result sizes (limiting to multipliers dividable by four). Please leave your thoughts in the GitHub issue mentioned above.
So after some debugging, the actual fix was really simple, see this commit