GitLab

This is due to the opening of the file using the "w+" mode - which truncates the file. There is a potentially long time when the new key is generated during which the file remains empty. Only after that, all the private keys are rewritten to the file.

The IMPACT of it happening is pretty serious, requiring new keys, reauthentication and bootstrapping for all contacts for every account. One must be lucky to be able to restore the truncated data from filesystem, before the libs try to overwrite it automatically on the next chat contact with new keys. The likelihood of this bug happening is obiously small.

I propose the patches in the attachment, which are hereby under the LGPL. This affects pidgin-otr and possibly other projects too, which use this api with "w+". This patch doesn't prevent the api user from going the w+ way, thus compatibility preserving.

What do you think? Not sure about the Priority...

STEPS TO REPRODUCE:

cat $priv_file;

click generate key in e.g. pidgin && kill -KILL pidgin

cat $priv_file.

(from redmine: created on 2015-03-04)