Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

#35970 closed defect (bug) (invalid)

Compat random_int issue with hanging mcrypt iv generator when urandom unreadable

Reported by: phil1984's profile phil1984 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4.2
Component: External Libraries Keywords:
Focuses: Cc:

Description

I noticed that after upgrading to the latest wordpress, I can no longer login. This is arguably a server configuration problem, but in my opinion it could be handled better in the wordpress compat code.

When /dev/urandom is not in the open_basedir it is not readable by PHP. When the random_bytes compat runs, it selects the mcrypt option. This causes the line

mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM);

to hang at 100% CPU with DSO php, probably because mcrypt is waiting for the random bytes that never come. Since mcrypt depends on reading from /dev/urandom it shouldn't be selected as a fallback in random_compat/random.php

In fact, if /dev/urandom is not readable it may cause problems with the other compat fallbacks like openssl.

Change History (3)

#1 @ocean90
9 years ago

  • Keywords reporter-feedback added

Hello @phil1984, welcome to Trac!

In #35665 we have updated the random_compat library to version 1.1.6 which includes a change for that: https://github.com/paragonie/random_compat/blob/master/CHANGELOG.md#version-116---2015-01-29

Can you test the current beta of WordPress 4.5 and report back if this solves your issue?

#2 @phil1984
9 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Thanks for the link @ocean90 My appologies. Then this is not a wordpress bug. I will take it up with the random_compat team.

I can see the change, and I actually think it will make things worse. That restriction would force more environments on to the mcrypt fallback. The problem is that if urandom is not readable, there is no point in falling back to mcrypt because that eventually uses urandom too.

#3 @ocean90
9 years ago

  • Component changed from General to External Libraries
  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.