Michael S. Gilbert dixit: >i'm triaging this issue for linux, and i don't believe that it has an >arc4random implementation.
There are several implementations; I wrote one based on jrand48 but self-seeding from /proc/sys/kernel/random_uuid for klibc (not really using aRC4, but sharing the API), Debian libbsd has one (available in Lenny on all arches), https://www.mirbsd.org/MirOS/dist/hosted/other/arc4random.c contains another one, OpenSSH comes with one. >so this would mean that lynx is using the >very insecure linear congruential algorithm lrand48 at least doesn't expose the entire seed, so you'd still need quite some effort to find it out. >affected Some things are another issue actually. For example, OpenSSL is separate from this _again_. There is no JavaScipt(tm) in Lynx, luckily, so that one wouldn't be affected either. You'd really have to look where entropy is used in the source code. bye, //mirabilos -- “It is inappropriate to require that a time represented as seconds since the Epoch precisely represent the number of seconds between the referenced time and the Epoch.” -- IEEE Std 1003.1b-1993 (POSIX) Section B.2.2.2 _______________________________________________ Lynx-dev mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/lynx-dev
