View all updates Feb 18, 2019

Security Update

A new important security update, release 0.3.1 is out! Please update if you’re been using the multiplier and version 0.3.0.

All the details

The issue

You’re only affected if you are: - using version 0.3.0 AND - using the multiplier AND - using a multiplier which is not a factor of four

Thanks to GitHub user wk3-org for the excellent and easily reproducable bug report.

The bug was introduced only in the last release 0.3.0, so if you are on 0.2.6, whether you’re using the multiplier or not, you’re fine.

However, the example configuration shows a multiplier of 10, so it was pretty easy to walk into the trap when you tried the multiplier. Also the CI tests which actually run dieharder tests with multipliers of 10/100/1000 and 10.000 did not catch this.

This seems like a good point to mention that you should not use the multiplier unless you really need it and know what you’re doing.

The fix

Basically, I forgot to adjust a buffer size after the libinfnoise refactoring. This led to repeating patterns on those multipliers (x%4!=0) as more data was read from the buffer than written to in that round (and the last bytes of previous loop-cycle were read twice).

Maybe it would make sense to simply not allow multipliers that result in uneven result sizes (limiting to multipliers dividable by four). Please leave your thoughts in the GitHub issue mentioned above.

So after some debugging, the actual fix was really simple, see this commit


$13,200 raised

of $200 goal

6,600% Funded! Order Below

Product Choices

$35

Infinite Noise TRNG

Get one Infinite Noise TRNG with the transparent enclosure.


$65

Double Noise

Receive two Infinite Noise TRNG made by "the machine", with cases.


$95

Triple Noise

Receive three Infinite Noise TRNG made by "the machine", with cases.

Credits

13-37.org Electronics

Our mission is to make open source hardware available for the German and European market and beyond.


Manuel Domke

Subscribe to the Crowd Supply newsletter, highlighting the latest creators and projects: