On Sun, 5 Jul 2009, Michael S. Gilbert wrote:
On Sun, 5 Jul 2009 13:08:38 +0000 (UTC) Thorsten Glaser wrote:
If arc4random(3) is available¹, lynx uses it. I sent in a patch
for that years ago. Otherwise, there is no good self-seeding SRNG
available in the standards, so it will use lrand48(3) instead²,
with a fallback to rand(3) like everyone else.
i'm triaging this issue for linux, and i don't believe that it has an
arc4random implementation. so this would mean that lynx is using the
very insecure linear congruential algorithm and is thus affected by
this issue?
It depends - lynx's configure script looks for these pairs:
arc4random_push/arc4random
arc4random_stir/arc4random
srandom/random
srand48/lrand48
srand/rand
On Debian/testing, it'll use srandom and random, whose manpage says
non-linear:
The random() function uses a non-linear additive feedback random number
generator employing a default table of size 31 long integers to return
successive pseudo-random numbers in the range from 0 to RAND_MAX. The
period of this random number generator is very large, approximately
16*((2**31)-1).
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net_______________________________________________
Lynx-dev mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/lynx-dev