Re: Want to help upstream software improve their random?

Vadim Zhukov Sat, 13 Dec 2014 14:40:42 -0800

12 дек. 2014 г. 8:04 пользователь "Theo de Raadt" <dera...@cvs.openbsd.org>
написал:
>
> In all of these code blocks are a well-known piece of information
> (same time on your machine as everywhere else) is being used to seed a
> deterministic number generator.
>
> At some later point, deterministic numbers are taken out using rand(),
> random(), drand48(), lrand48(), mrand48(), or srand48(), or some
> derivative function inside the program itself, and used for WHO KNOWS
> WHAT PURPOSE.
>
> I did not audit what the numbers are being used for.
>
> Quite likely some numbers are just used to help hashing.  Some could
> be used to print pretty pictures.  But in xulrunner?  In the zip password
> creator? In postgresql, or say in openldap (a network related thing)?
>
> It is doubtful they are all fine.
>
> For the benefit of other projects who haven't taken the same steps as
> OpenBSD, it would be nice if some people helped out these pieces of
> software.
>
> EMBOSS-6.0.1    srand((unsigned) time(&tm));
> ORBit2-2.14.19  srand (t.tv_sec ^ t.tv_usec ^ getpid () ^ getuid ());
> apr-util-1.5.3    srand((unsigned int)(((time_now >> 32) ^ time_now) &
0xffffffff));
> apr-util-1.5.3    srand((unsigned int)apr_time_now());
> aqualung-0.9beta11      srand(time(0));
> aqualung-0.9beta11      srand(time(NULL));
> audacious-3.5.2    srand (time (NULL));
> audacious-plugins-3.5.2    srand(time(NULL));
> audacity-1.3.9   srand(time(0));
> audacity-1.3.9   srand(time(NULL));
> audacity-1.3.9    srand( (unsigned int) time(NULL) );
> birda-1.1    srandom(t.tv_sec^t.tv_usec);
> boost-1.53.0        std::srand( runtime_config::random_seed() );
> boost-1.53.0  srand(time(0));
> boost-1.53.0    generator() { srand(time(0)); }
> boost-1.53.0        generator() { srand(time(0)); }
> boost-1.53.0    std::srand(time(0) + world.rank());
> boost-1.53.0    std::srand(time(0) + world.rank());
> boost-1.53.0  srand(time(0) + world.rank());
> boost-1.53.0  srand(time(0) + world.rank());
> boost-1.53.0  std::srand(time(0) + world.rank());
> boost-1.53.0  std::srand(time(0) + world.rank());
> boost-1.53.0    srand( time(NULL) );
> boost-1.53.0        srand( time( NULL ) );
> boost-1.53.0    srand ( time(NULL) );
> boost-1.53.0    std::srand(static_cast<unsigned>(std::time(0)));
> boost-1.53.0    std::srand(static_cast<unsigned>(std::time(0)));
> boost-1.53.0  srand(time(0));
> boost-1.53.0  srand(time(0));
> boost-1.53.0    std::srand((unsigned int)std::time(NULL));
> boost-1.53.0    srand(time(0));
> bullet-2.81//   srand(time(NULL) / 30);
> bullet-2.81             srand((unsigned)time(NULL)); // Seed it...
> bullet-2.81     srand ( time ( 0x0 ) );
> c3270-3.3.11.6  srand(time(NULL));
> c3270-3.3.11.6  srandom(time(NULL));
> c3270-3.3.11.6  srand(time(NULL));
> c3270-3.3.11.6  srandom(time(NULL));
> c3270-3.3.11.6  srand(time(NULL));
> c3270-3.3.11.6  srandom(time(NULL));
> c3270-3.3.11.6  srand(time(NULL));
> c3270-3.3.11.6  srandom(time(NULL));
> c3270-3.3.11.6  srand(time(NULL));
> c3270-3.3.11.6  srandom(time(NULL));
> c3270-3.3.11.6  srand(time(NULL));
> c3270-3.3.11.6  srandom(time(NULL));
> caps-plugins-0.4.4      srandom (tv.tv_sec ^ tv.tv_usec);
> celestia-1.6.1  std::srand(std::time(NULL));
> celestia-1.6.1  std::srand(time(NULL));
> celestia-1.6.1        srandom(time(NULL));
> celt-0.11.1   srand(time(NULL));
> celt07-0.7.1   srand(time(NULL));
> cgdb-0.6.8        srand(time(NULL));
> clementine-1.2.3  srandom((int)[[NSDate date] timeIntervalSince1970]);
> clementine-1.2.3    srandom(time(NULL));
> clementine-1.2.3        srand ( time ( NULL ) );
> clementine-1.2.3  qsrand((time.tv_sec * 1000) + (time.tv_usec / 1000));
> cmake-3.0.2    srand((unsigned)time(0));
> cmake-3.0.2  srand((unsigned int)time(NULL)+randomizer++); /* seed */
> codeblocks-13.12    srand( time(NULL) );
> codeblocks-13.12        inline void ini_random() { srand(time(0)); };
> codeblocks-13.12            srand((unsigned)time(0));
> codeblocks-13.12    srand(time(nullptr));
> codeworker-4.5.4        if (iSeed >= 0) srand((unsigned) iSeed);
> codeworker-4.5.4        else srand((unsigned) time(NULL));
> db-3.1.17       srand((u_int)time(NULL));
> db-3.1.17       srand(getpid() | time(NULL));
> db-3.1.17       srand((unsigned int)time(NULL));
> db-4.6.21       srand((u_int)time(NULL));
> db-4.6.21       srand(getpid() | time(NULL));
> db-4.6.21       srand((unsigned int)time(NULL));
> db-4.6.21               srand((u_int)time(NULL) % (u_int)getpid());
> db-4.6.21       srand((u_int)(time(NULL) | getpid()));
> db-4.6.21       srand((u_int)(time(NULL) | getpid()));
> deadbeef-0.6.2    srand (time (NULL));
> deadbeef-0.6.2//    srand ((uint) ::time(NULL));
> deadbeef-0.6.2  srand(time(NULL));
> deadbeef-0.6.2  fixed random playback bug caused by libsidplay2 calling
srand(time(NULL))
> festival-1.95beta#    define seed_random() srand((unsigned)time(NULL))
> festival-1.95beta#    define seed_random() srandom(time(NULL));
> festival-1.95beta    srand(time(NULL));
> flac-1.3.0      srand((unsigned)time(0));
> flac-1.3.0      srand((unsigned)time(0));
> flac-1.3.0      srand((unsigned)time(0));
> fldigi-3.21.83//        srand(time(NULL));
> fritzing-0.9.0  srand ( time(NULL) );
> fritzing-0.9.0        srand((unsigned)(time(NULL) ^ ZCR_SEED2));
> giblib-1.2.4   srand(getpid() * time(NULL) % ((unsigned int) -1));
> glyr-1.0.2    srand (time (NULL) );
> glyr-1.0.2    srand (time (NULL) );
> gperf-3.0.4    srand (static_cast<long>(time (0)));
> gqmpeg-0.91.1   srand(time(NULL));
> gsl-1.16.0.3-ruby21  srand(time(NULL));
> gtkpod-1.0.0    srand(time(NULL));
> hydrogen-0.9.4  srand( time( NULL ) );
> hylafax-6.0.6    srand(time(NULL));
> iozone-3.429    srand(time(0));
> jack-0.121.3    srandom (time ((time_t *) 0));
> jpilot-1.8.2   srandom(time(NULL));
> jpilot-1.8.2      srandom(time(NULL));
> jpilot-1.8.2   srand(time(NULL) * getpid());
> kdevplatform-1.6.0        srand(time(NULL));
> kdevplatform-1.6.0        srand(time(NULL));
> kdevplatform-1.6.0  //srand(time(NULL));
> kdevplatform-1.6.0      srand(time(NULL));
> kdevplatform-1.6.0    std::srand( std::time ( 0 ) );
> kicad-20100505        srand((unsigned)(time(NULL) ^ ZCR_SEED2));
> ksmp3play-0.5.1  srand ((unsigned int) time (NULL));
> kyotocabinet-1.2.76  srand(time(NULL));
> lame-3.99.5    srand ( time (NULL) );
> libivykis-0.36.2        srand(time(NULL) ^ getpid());
> libmemcached-0.48      srandom((uint32_t) time(NULL));
> libmemcached-0.48    srandom((uint32_t) time(NULL));
> libmemcached-0.48  srandom((unsigned int)time(NULL));
> libmemcached-0.48  srandom((unsigned int)time(NULL));
> libmodplug-0.8.8.5                      srandom((uint32_t)time(0));
 // initialize random generator with seed
> libmp3splt-0.5.4  srand(time(NULL));
> libmtp-1.1.6    srand(time(NULL));
> liboil-0.3.17  srand(time(NULL));
> liboil-0.3.17  srand(time(NULL));
> liboil-0.3.17  srand(time(NULL));
> libreoffice-4.3.4.1    srand((unsigned int)time(NULL));
> libreoffice-4.3.4.1    srand( (unsigned) time( NULL ) );       // Random
Seed Init fuer Interpreter
> libreoffice-4.3.4.1    srand( unsigned( time( NULL ) ));
> libreoffice-4.3.4.1        srand( (unsigned)(t = time( NULL )) );
> libreoffice-4.3.4.1    srand( unsigned( time( NULL ) ));
> libreoffice-4.3.4.1    srand( (unsigned)time( NULL ) );
> libyubikey-1.12  srand (time (NULL));
> lmms-0.4.8              srand( time( NULL ) );
> lmms-0.4.8    srand(time(NULL));
> lmms-0.4.8//    srand(time(0));
> lmms-0.4.8      srand (tv.tv_sec ^ tv.tv_usec);
> lmms-0.4.8      srand( getpid() + time( 0 ) );
> lmms-0.4.8              srand( getpid() + time( 0 ) );
> madplay-0.15.2b    srand(time(0));
> mariadb-10.0.14  srand((uint) time(NULL));
> mariadb-10.0.14  srand(time(0));
> mariadb-10.0.14  srand(time(0));
> mariadb-10.0.14  srand(time(0));
> mariadb-10.0.14  srand(time(0));
> mariadb-10.0.14  srand(num*time(NULL));
> mariadb-10.0.14    srand(time(NULL)/(i+1));
> mariadb-10.0.14    srand((i+1)*time(NULL));
> mariadb-10.0.14  srand(num*time(NULL));
> mariadb-10.0.14    srand(num*time(NULL));
> mariadb-10.0.14  srand(num*time(NULL));
> mariadb-10.0.14    srand (time(NULL));
> mariadb-10.0.14    srandom(time(NULL));
> mariadb-10.0.14 srandom(tv.tv_sec * 1000000 + tv.tv_usec);
> mariadb-10.0.14 // Once upon a time srandom(8) caused this test to fail.
> mariadb-10.0.14    srandom(time(0));
> mariadb-10.0.14    srandom((uint)time(NULL));
> mgetty+sendfax-1.1.37    srand((unsigned)time(NULL));
> mgetty+sendfax-1.1.37     srand(time(NULL) | getpid());
> mgetty+sendfax-1.1.37               srand(time(NULL) | getpid());
> mgetty+sendfax-1.1.37               srandom(time(NULL) | getpid());
> mico-2.3.13  srand (time (0));
> mikmod-3.2.6    srand(time(NULL));
> mikmod-3.2.6                    srandom(time(NULL));
> mimepp-1.0      srand(time(0));
> mongodb-2.6.4            srand( ++z ^ (unsigned) time(0));
> mongodb-2.6.4        std::srand( runtime_config::random_seed() );
> motif-2.3.4    srand((int) time(NULL));
> mp3blaster-3.2.5        srand((unsigned int)time(&t));
> mp3blaster-3.2.5  srandom(time(&t));
> mpg123-1.21.0#include <time.h> /* For srand(). */
> mpg321-0.3.2    srand(time(NULL));
> mscore-1.3              srand(time(NULL) ^ 3141592654UL);
> nap-1.5.3    srand(tv.tv_usec + 1000000*tv.tv_sec);
> ncmpcpp-0.6.1   srand(time(nullptr));
> netstrain-3.0  srand(time(NULL));
> ode-0.12    srand( static_cast< unsigned int >( time( 0 ) ) );
> openldap-2.4.40 srand(time(NULL));
> openldap-2.4.40 srand(time(NULL));
> openldap-2.4.40 srand(time(NULL));
> openldap-2.4.40 srand(time(NULL));
> openldap-2.4.40 srand(time(NULL));
> openldap-2.4.40         srv_srand(time(0L));
> openmpi-1.4.1    srandom( (int)time(NULL) );
> openmpi-1.4.1    srand((unsigned int)time(NULL));
> opennap-0.44    srand (global.current_time + getuid () + getpid ());
> opus-tools-0.1.9  srand(((getpid()&65535)<<15)^start_time);
> orc-0.4.19  srand(time(NULL));
> p5-Data-UUID-1.217      srand((unsigned int)(((time_now >> 32) ^
time_now)&0xffffffff));
> pcb-20110918    effect usage in our application.  Added srand( time(NULL)
) to main.c to set the seed.
> pcb-20110918#include <time.h> /* Seed for srand() */
> pcb-20110918  srand ( time(NULL) ); /* Set seed for rand() */
> pgbouncer-1.5.4 srandom(time(NULL) ^ getpid());
> pgpool-II-3.2.3 srandom((unsigned int) (getpid() ^ uptime.tv_usec));
> physfs-2.0.3            srand((unsigned int) time(NULL));
> pms-0.42        srand(time(NULL));
> postgresql-9.3.5        srandom((unsigned int)
INSTR_TIME_GET_MICROSEC(start_time));
> postgresql-9.3.5        srandom((unsigned int) time(NULL));
> pulseaudio-5.0    srand((unsigned) time(NULL));
> pulseaudio-5.0    srand((unsigned) time(NULL));
> qdbm-1.8.78  if(cnt == 0) srand(time(NULL));
> qdbm-1.8.78  if(cnt == 0) srand(time(NULL));
> qdbm-1.8.78  if(cnt == 0) srand(time(NULL));
> qdbm-1.8.78  srand(time(NULL));
> qdbm-1.8.78  if(cnt == 0) srand(time(NULL));
> qdbm-1.8.78  srand(time(NULL));
> qdbm-1.8.78  if(cnt == 0) srand(time(NULL));
> qdbm-1.8.78  if(cnt == 0) std::srand(std::time(NULL));
> qgit-1.5.7      srand (time(NULL));
> quazip-0.7        srand((unsigned)(time(NULL) ^ ZCR_SEED2));
> qucs-0.0.16  ::srand (::time (NULL));
> redis-2.8.17    srandom(time(NULL));
> redis-2.8.17    srand(time(NULL));
> redis-2.8.17    srand(time(NULL)^getpid());
>
rplay-3.3.2main(v,c)char**c;{srandom((int)time(!++c)*getpid());v-->1?printf("%s\n",c[random()%v]):(int)v;}
> rplay-3.3.2             srandom(time(NULL));
> schismtracker-20100101        srand(time(NULL));
> scmxx-0.8.0  srand(time(NULL));
> siege-2.70  srand( (unsigned)time( NULL ) * seed );
> silc-toolkit-1.1.12    srand((time(NULL) + buf_len) ^ rand());
> smstools3-3.1.15  srand((int)(time(NULL) * getpid()));
> snack2.2.10    srand(time(NULL));
> soprano-2.9.4        srand( time(0) );
> soundtracker-0.6.8    srand (time(NULL));
> sparsehash-2.0.2  srand(r);   // keep compiler from optimizing away r (we
never call rand())
> sparsehash-2.0.2  srand(9);
> sparsehash-2.0.2  srand(r);   // keep compiler from optimizing away r (we
never call rand())
> sparsehash-2.0.2  srand(r);   // keep compiler from optimizing away r (we
never call rand())
> speex-1.2rc1   srand(time(NULL));
> strigi-0.7.7pl1    srand((unsigned int)time(NULL));
> sunclock-3.56-no_maps        srandom(Context->time);
> sysbench-0.4.8    srandom(time(NULL));
> tap-plugins-0.7.1       srand(time(0));
> teknap-1.3g     srand((unsigned)time(NULL));
> teknap-1.3g   $srand($time())             a very large seed
> timidity-2.13.2     srand(time(NULL));
> timidity-2.13.2  srand(time(NULL));
> timidity-2.13.2      srand(time(NULL));
> timidity-2.13.2    srand(time(NULL));
> tla-1.2  srandom (time (0));
> tla-1.2  srandom (time (0));
> tracker-5.3        srand(time(0));
> tracker-5.3        srand(time(0));
> tremor-tools-1.0                srand(time(NULL));
> tremor-tools-1.0    srandom(time(NULL));
> tremor-tools-1.0        srand(time(NULL));
> virtuoso-6.1.6      srand((double) microtime() * 1000000);
> virtuoso-6.1.6      srand ((unsigned int) time(NULL));
> virtuoso-6.1.6      srand ((unsigned) time (NULL));
> virtuoso-6.1.6  srand ((unsigned int) (((time_now >> 32) ^ time_now) &
0xffffffff));
> virtuoso-6.1.6        srand((unsigned)(time(NULL) ^ ZCR_SEED2));
> vorbis-tools-1.4.0        srandom(time(NULL));
> vorbis-tools-1.4.0                srand(time(NULL) ^ getpid());
> vorbis-tools-1.4.0      srand(time(NULL) ^ getpid());
> wmglobe-1.3             srandom(((int) time(NULL)) + ((int) getpid()));
> wmmp3-0.12      srand(time(NULL));
> x3270-3.3.6     srandom(time(NULL));
> xearth-1.1  srandom(((int) time(NULL)) + ((int) getpid()));
> xhippo-3.5  srand(time(0));
> xmcd-2.6        srand((unsigned) time(NULL));
> xmcd-2.6        srand((unsigned) time(NULL));
> xmms-1.2.11                     srandom(time(NULL));
> xmms2-0.8       srand (time (NULL));
> xulrunner-24.8.0      srand(time(nullptr));
> xulrunner-24.8.0  srand(time(NULL));
> xulrunner-24.8.0  srand(time(NULL));
> xulrunner-24.8.0  srand(time(NULL));
> xulrunner-24.8.0  srand(time(NULL));
> xulrunner-24.8.0  srand((unsigned int)time(NULL));
>
xulrunner-24.8.0/mozilla-esr24/security/nss/lib/freebl/mpi/utils/bbsrand.c-
seed = time(NULL);
> xulrunner-24.8.0    srand((unsigned int)time(NULL));
> xulrunner-24.8.0  srand(seed);
> xulrunner-24.8.0  srand(time(NULL) * (unsigned int)pid);
> xulrunner-24.8.0  srand(time(NULL));
> xulrunner-24.8.0        srand((unsigned int)time(NULL));
> xulrunner-24.8.0  srand(static_cast<uint32_t>(time(NULL)));
> xulrunner-24.8.0    srand(time(0));
> xulrunner-24.8.0    srand( (unsigned)time( NULL ) ); /* seed random
number generator */
> xulrunner-24.8.0  srand(time(0));
> xulrunner-24.8.0  srandom((int)[[NSDate date] timeIntervalSince1970]);
> xulrunner-24.8.0    srand(time(NULL));
> xulrunner-24.8.0    srand(time(0));
> xulrunner-24.8.0    srandom(time(NULL));
> xulrunner-24.8.0    srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
> xulrunner-24.8.0  srandom(time(NULL));
                     \
> xulrunner-24.8.0  srandom(time(NULL));
                     \
> xulrunner-24.8.0  srandom(time(NULL));
                     \
> xulrunner-24.8.0  srandom(time(NULL));
                     \
> xulrunner-24.8.0  srandom(time(NULL));
                     \
> xulrunner-24.8.0  srand((unsigned int) time(NULL));
> xulrunner-24.8.0  srand((unsigned int) time(NULL));
> xulrunner-24.8.0                        srand((unsigned int)time(NULL) );
> xulrunner-24.8.0                        srand((unsigned int)time(NULL));
> xulrunner-24.8.0                        srand((unsigned int)time(NULL));
> xulrunner-24.8.0      srand(time(NULL) );
> xulrunner-24.8.0        srand(time(NULL));
> xulrunner-24.8.0      srand(time(NULL));
> xulrunner-24.8.0    srand(timeGetTime());
> xulrunner-24.8.0    cpr_srand((unsigned int)time(NULL));
> xulrunner-24.8.0    cpr_srand((unsigned int)time(NULL));
> xulrunner-24.8.0    cpr_srand((unsigned int)time(NULL));
> zip-3.0          standard UNIX C runtime library functions: time(),
rand(), srand().
> zip-3.0        srand((unsigned)time(NULL) ^ ZCR_SEED2);


I'll take care of Clementine, Virtuoso and KDE stuff.

Thank you for detailed list.

--
Vadim Zhukov

Re: Want to help upstream software improve their random?

Reply via email to