Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Mar 2012 09:24:07 -0400
From: "Todd C. Miller" <Todd.Miller@...rtesan.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE for OpenBSD random() bug?

> It would seem this fits into the "weaker then advertised" class of
> security problem. Thoughts/comments (anyone strongly against this)?

Since random(3) is not a cryptographically secure random function
I'm not sure that is makes sense to assign a CVE.

I suppose it really depends on the likelihood of someone calling
srandom(0); I don't know why anyone would do that on purpose.  If
you must use random(3) instead of something stronger like arc4random(3),
it is possible to seed the PRNG via /dev/arandom using srandomdev(3)
or set the seed state manually via initstate(3), both of which
provide more than just 32 bits of seed data.

 - todd

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.