On 12 Dec 2014, at 5:02, Theo de Raadt wrote:

In all of these code blocks are a well-known piece of information
(same time on your machine as everywhere else) is being used to seed a
deterministic number generator.

At some later point, deterministic numbers are taken out using rand(),
random(), drand48(), lrand48(), mrand48(), or srand48(), or some
derivative function inside the program itself, and used for WHO KNOWS
WHAT PURPOSE.

I did not audit what the numbers are being used for.

Quite likely some numbers are just used to help hashing.  Some could
be used to print pretty pictures. But in xulrunner? In the zip password
creator? In postgresql, or say in openldap (a network related thing)?

It is doubtful they are all fine.

For the benefit of other projects who haven't taken the same steps as
OpenBSD, it would be nice if some people helped out these pieces of
software.

EMBOSS-6.0.1    srand((unsigned) time(&tm));
[...]

What you say makes sense. Is there a best practice alternative you suggest or did I miss that? Perhaps just some better initiation value, preferably not all from the same place?



devin
--
contact info: http://nacredata.com/devin
gpg public key: http://www.nacredata.com/public_key.txt
Use unique, strong passwords! https://www.nacredata.com/password.php

Reply via email to