|
Message-Id: <201203221324.q2MDO7xu017175@core.courtesan.com> Date: Thu, 22 Mar 2012 09:24:07 -0400 From: "Todd C. Miller" <Todd.Miller@...rtesan.com> To: oss-security@...ts.openwall.com Subject: Re: CVE for OpenBSD random() bug? > It would seem this fits into the "weaker then advertised" class of > security problem. Thoughts/comments (anyone strongly against this)? Since random(3) is not a cryptographically secure random function I'm not sure that is makes sense to assign a CVE. I suppose it really depends on the likelihood of someone calling srandom(0); I don't know why anyone would do that on purpose. If you must use random(3) instead of something stronger like arc4random(3), it is possible to seed the PRNG via /dev/arandom using srandomdev(3) or set the seed state manually via initstate(3), both of which provide more than just 32 bits of seed data. - todd
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.