12 дек. 2014 г. 8:04 пользователь "Theo de Raadt" <dera...@cvs.openbsd.org> написал: > > In all of these code blocks are a well-known piece of information > (same time on your machine as everywhere else) is being used to seed a > deterministic number generator. > > At some later point, deterministic numbers are taken out using rand(), > random(), drand48(), lrand48(), mrand48(), or srand48(), or some > derivative function inside the program itself, and used for WHO KNOWS > WHAT PURPOSE. > > I did not audit what the numbers are being used for. > > Quite likely some numbers are just used to help hashing. Some could > be used to print pretty pictures. But in xulrunner? In the zip password > creator? In postgresql, or say in openldap (a network related thing)? > > It is doubtful they are all fine. > > For the benefit of other projects who haven't taken the same steps as > OpenBSD, it would be nice if some people helped out these pieces of > software. > > EMBOSS-6.0.1 srand((unsigned) time(&tm)); > ORBit2-2.14.19 srand (t.tv_sec ^ t.tv_usec ^ getpid () ^ getuid ()); > apr-util-1.5.3 srand((unsigned int)(((time_now >> 32) ^ time_now) & 0xffffffff)); > apr-util-1.5.3 srand((unsigned int)apr_time_now()); > aqualung-0.9beta11 srand(time(0)); > aqualung-0.9beta11 srand(time(NULL)); > audacious-3.5.2 srand (time (NULL)); > audacious-plugins-3.5.2 srand(time(NULL)); > audacity-1.3.9 srand(time(0)); > audacity-1.3.9 srand(time(NULL)); > audacity-1.3.9 srand( (unsigned int) time(NULL) ); > birda-1.1 srandom(t.tv_sec^t.tv_usec); > boost-1.53.0 std::srand( runtime_config::random_seed() ); > boost-1.53.0 srand(time(0)); > boost-1.53.0 generator() { srand(time(0)); } > boost-1.53.0 generator() { srand(time(0)); } > boost-1.53.0 std::srand(time(0) + world.rank()); > boost-1.53.0 std::srand(time(0) + world.rank()); > boost-1.53.0 srand(time(0) + world.rank()); > boost-1.53.0 srand(time(0) + world.rank()); > boost-1.53.0 std::srand(time(0) + world.rank()); > boost-1.53.0 std::srand(time(0) + world.rank()); > boost-1.53.0 srand( time(NULL) ); > boost-1.53.0 srand( time( NULL ) ); > boost-1.53.0 srand ( time(NULL) ); > boost-1.53.0 std::srand(static_cast<unsigned>(std::time(0))); > boost-1.53.0 std::srand(static_cast<unsigned>(std::time(0))); > boost-1.53.0 srand(time(0)); > boost-1.53.0 srand(time(0)); > boost-1.53.0 std::srand((unsigned int)std::time(NULL)); > boost-1.53.0 srand(time(0)); > bullet-2.81// srand(time(NULL) / 30); > bullet-2.81 srand((unsigned)time(NULL)); // Seed it... > bullet-2.81 srand ( time ( 0x0 ) ); > c3270-3.3.11.6 srand(time(NULL)); > c3270-3.3.11.6 srandom(time(NULL)); > c3270-3.3.11.6 srand(time(NULL)); > c3270-3.3.11.6 srandom(time(NULL)); > c3270-3.3.11.6 srand(time(NULL)); > c3270-3.3.11.6 srandom(time(NULL)); > c3270-3.3.11.6 srand(time(NULL)); > c3270-3.3.11.6 srandom(time(NULL)); > c3270-3.3.11.6 srand(time(NULL)); > c3270-3.3.11.6 srandom(time(NULL)); > c3270-3.3.11.6 srand(time(NULL)); > c3270-3.3.11.6 srandom(time(NULL)); > caps-plugins-0.4.4 srandom (tv.tv_sec ^ tv.tv_usec); > celestia-1.6.1 std::srand(std::time(NULL)); > celestia-1.6.1 std::srand(time(NULL)); > celestia-1.6.1 srandom(time(NULL)); > celt-0.11.1 srand(time(NULL)); > celt07-0.7.1 srand(time(NULL)); > cgdb-0.6.8 srand(time(NULL)); > clementine-1.2.3 srandom((int)[[NSDate date] timeIntervalSince1970]); > clementine-1.2.3 srandom(time(NULL)); > clementine-1.2.3 srand ( time ( NULL ) ); > clementine-1.2.3 qsrand((time.tv_sec * 1000) + (time.tv_usec / 1000)); > cmake-3.0.2 srand((unsigned)time(0)); > cmake-3.0.2 srand((unsigned int)time(NULL)+randomizer++); /* seed */ > codeblocks-13.12 srand( time(NULL) ); > codeblocks-13.12 inline void ini_random() { srand(time(0)); }; > codeblocks-13.12 srand((unsigned)time(0)); > codeblocks-13.12 srand(time(nullptr)); > codeworker-4.5.4 if (iSeed >= 0) srand((unsigned) iSeed); > codeworker-4.5.4 else srand((unsigned) time(NULL)); > db-3.1.17 srand((u_int)time(NULL)); > db-3.1.17 srand(getpid() | time(NULL)); > db-3.1.17 srand((unsigned int)time(NULL)); > db-4.6.21 srand((u_int)time(NULL)); > db-4.6.21 srand(getpid() | time(NULL)); > db-4.6.21 srand((unsigned int)time(NULL)); > db-4.6.21 srand((u_int)time(NULL) % (u_int)getpid()); > db-4.6.21 srand((u_int)(time(NULL) | getpid())); > db-4.6.21 srand((u_int)(time(NULL) | getpid())); > deadbeef-0.6.2 srand (time (NULL)); > deadbeef-0.6.2// srand ((uint) ::time(NULL)); > deadbeef-0.6.2 srand(time(NULL)); > deadbeef-0.6.2 fixed random playback bug caused by libsidplay2 calling srand(time(NULL)) > festival-1.95beta# define seed_random() srand((unsigned)time(NULL)) > festival-1.95beta# define seed_random() srandom(time(NULL)); > festival-1.95beta srand(time(NULL)); > flac-1.3.0 srand((unsigned)time(0)); > flac-1.3.0 srand((unsigned)time(0)); > flac-1.3.0 srand((unsigned)time(0)); > fldigi-3.21.83// srand(time(NULL)); > fritzing-0.9.0 srand ( time(NULL) ); > fritzing-0.9.0 srand((unsigned)(time(NULL) ^ ZCR_SEED2)); > giblib-1.2.4 srand(getpid() * time(NULL) % ((unsigned int) -1)); > glyr-1.0.2 srand (time (NULL) ); > glyr-1.0.2 srand (time (NULL) ); > gperf-3.0.4 srand (static_cast<long>(time (0))); > gqmpeg-0.91.1 srand(time(NULL)); > gsl-1.16.0.3-ruby21 srand(time(NULL)); > gtkpod-1.0.0 srand(time(NULL)); > hydrogen-0.9.4 srand( time( NULL ) ); > hylafax-6.0.6 srand(time(NULL)); > iozone-3.429 srand(time(0)); > jack-0.121.3 srandom (time ((time_t *) 0)); > jpilot-1.8.2 srandom(time(NULL)); > jpilot-1.8.2 srandom(time(NULL)); > jpilot-1.8.2 srand(time(NULL) * getpid()); > kdevplatform-1.6.0 srand(time(NULL)); > kdevplatform-1.6.0 srand(time(NULL)); > kdevplatform-1.6.0 //srand(time(NULL)); > kdevplatform-1.6.0 srand(time(NULL)); > kdevplatform-1.6.0 std::srand( std::time ( 0 ) ); > kicad-20100505 srand((unsigned)(time(NULL) ^ ZCR_SEED2)); > ksmp3play-0.5.1 srand ((unsigned int) time (NULL)); > kyotocabinet-1.2.76 srand(time(NULL)); > lame-3.99.5 srand ( time (NULL) ); > libivykis-0.36.2 srand(time(NULL) ^ getpid()); > libmemcached-0.48 srandom((uint32_t) time(NULL)); > libmemcached-0.48 srandom((uint32_t) time(NULL)); > libmemcached-0.48 srandom((unsigned int)time(NULL)); > libmemcached-0.48 srandom((unsigned int)time(NULL)); > libmodplug-0.8.8.5 srandom((uint32_t)time(0)); // initialize random generator with seed > libmp3splt-0.5.4 srand(time(NULL)); > libmtp-1.1.6 srand(time(NULL)); > liboil-0.3.17 srand(time(NULL)); > liboil-0.3.17 srand(time(NULL)); > liboil-0.3.17 srand(time(NULL)); > libreoffice-4.3.4.1 srand((unsigned int)time(NULL)); > libreoffice-4.3.4.1 srand( (unsigned) time( NULL ) ); // Random Seed Init fuer Interpreter > libreoffice-4.3.4.1 srand( unsigned( time( NULL ) )); > libreoffice-4.3.4.1 srand( (unsigned)(t = time( NULL )) ); > libreoffice-4.3.4.1 srand( unsigned( time( NULL ) )); > libreoffice-4.3.4.1 srand( (unsigned)time( NULL ) ); > libyubikey-1.12 srand (time (NULL)); > lmms-0.4.8 srand( time( NULL ) ); > lmms-0.4.8 srand(time(NULL)); > lmms-0.4.8// srand(time(0)); > lmms-0.4.8 srand (tv.tv_sec ^ tv.tv_usec); > lmms-0.4.8 srand( getpid() + time( 0 ) ); > lmms-0.4.8 srand( getpid() + time( 0 ) ); > madplay-0.15.2b srand(time(0)); > mariadb-10.0.14 srand((uint) time(NULL)); > mariadb-10.0.14 srand(time(0)); > mariadb-10.0.14 srand(time(0)); > mariadb-10.0.14 srand(time(0)); > mariadb-10.0.14 srand(time(0)); > mariadb-10.0.14 srand(num*time(NULL)); > mariadb-10.0.14 srand(time(NULL)/(i+1)); > mariadb-10.0.14 srand((i+1)*time(NULL)); > mariadb-10.0.14 srand(num*time(NULL)); > mariadb-10.0.14 srand(num*time(NULL)); > mariadb-10.0.14 srand(num*time(NULL)); > mariadb-10.0.14 srand (time(NULL)); > mariadb-10.0.14 srandom(time(NULL)); > mariadb-10.0.14 srandom(tv.tv_sec * 1000000 + tv.tv_usec); > mariadb-10.0.14 // Once upon a time srandom(8) caused this test to fail. > mariadb-10.0.14 srandom(time(0)); > mariadb-10.0.14 srandom((uint)time(NULL)); > mgetty+sendfax-1.1.37 srand((unsigned)time(NULL)); > mgetty+sendfax-1.1.37 srand(time(NULL) | getpid()); > mgetty+sendfax-1.1.37 srand(time(NULL) | getpid()); > mgetty+sendfax-1.1.37 srandom(time(NULL) | getpid()); > mico-2.3.13 srand (time (0)); > mikmod-3.2.6 srand(time(NULL)); > mikmod-3.2.6 srandom(time(NULL)); > mimepp-1.0 srand(time(0)); > mongodb-2.6.4 srand( ++z ^ (unsigned) time(0)); > mongodb-2.6.4 std::srand( runtime_config::random_seed() ); > motif-2.3.4 srand((int) time(NULL)); > mp3blaster-3.2.5 srand((unsigned int)time(&t)); > mp3blaster-3.2.5 srandom(time(&t)); > mpg123-1.21.0#include <time.h> /* For srand(). */ > mpg321-0.3.2 srand(time(NULL)); > mscore-1.3 srand(time(NULL) ^ 3141592654UL); > nap-1.5.3 srand(tv.tv_usec + 1000000*tv.tv_sec); > ncmpcpp-0.6.1 srand(time(nullptr)); > netstrain-3.0 srand(time(NULL)); > ode-0.12 srand( static_cast< unsigned int >( time( 0 ) ) ); > openldap-2.4.40 srand(time(NULL)); > openldap-2.4.40 srand(time(NULL)); > openldap-2.4.40 srand(time(NULL)); > openldap-2.4.40 srand(time(NULL)); > openldap-2.4.40 srand(time(NULL)); > openldap-2.4.40 srv_srand(time(0L)); > openmpi-1.4.1 srandom( (int)time(NULL) ); > openmpi-1.4.1 srand((unsigned int)time(NULL)); > opennap-0.44 srand (global.current_time + getuid () + getpid ()); > opus-tools-0.1.9 srand(((getpid()&65535)<<15)^start_time); > orc-0.4.19 srand(time(NULL)); > p5-Data-UUID-1.217 srand((unsigned int)(((time_now >> 32) ^ time_now)&0xffffffff)); > pcb-20110918 effect usage in our application. Added srand( time(NULL) ) to main.c to set the seed. > pcb-20110918#include <time.h> /* Seed for srand() */ > pcb-20110918 srand ( time(NULL) ); /* Set seed for rand() */ > pgbouncer-1.5.4 srandom(time(NULL) ^ getpid()); > pgpool-II-3.2.3 srandom((unsigned int) (getpid() ^ uptime.tv_usec)); > physfs-2.0.3 srand((unsigned int) time(NULL)); > pms-0.42 srand(time(NULL)); > postgresql-9.3.5 srandom((unsigned int) INSTR_TIME_GET_MICROSEC(start_time)); > postgresql-9.3.5 srandom((unsigned int) time(NULL)); > pulseaudio-5.0 srand((unsigned) time(NULL)); > pulseaudio-5.0 srand((unsigned) time(NULL)); > qdbm-1.8.78 if(cnt == 0) srand(time(NULL)); > qdbm-1.8.78 if(cnt == 0) srand(time(NULL)); > qdbm-1.8.78 if(cnt == 0) srand(time(NULL)); > qdbm-1.8.78 srand(time(NULL)); > qdbm-1.8.78 if(cnt == 0) srand(time(NULL)); > qdbm-1.8.78 srand(time(NULL)); > qdbm-1.8.78 if(cnt == 0) srand(time(NULL)); > qdbm-1.8.78 if(cnt == 0) std::srand(std::time(NULL)); > qgit-1.5.7 srand (time(NULL)); > quazip-0.7 srand((unsigned)(time(NULL) ^ ZCR_SEED2)); > qucs-0.0.16 ::srand (::time (NULL)); > redis-2.8.17 srandom(time(NULL)); > redis-2.8.17 srand(time(NULL)); > redis-2.8.17 srand(time(NULL)^getpid()); > rplay-3.3.2main(v,c)char**c;{srandom((int)time(!++c)*getpid());v-->1?printf("%s\n",c[random()%v]):(int)v;} > rplay-3.3.2 srandom(time(NULL)); > schismtracker-20100101 srand(time(NULL)); > scmxx-0.8.0 srand(time(NULL)); > siege-2.70 srand( (unsigned)time( NULL ) * seed ); > silc-toolkit-1.1.12 srand((time(NULL) + buf_len) ^ rand()); > smstools3-3.1.15 srand((int)(time(NULL) * getpid())); > snack2.2.10 srand(time(NULL)); > soprano-2.9.4 srand( time(0) ); > soundtracker-0.6.8 srand (time(NULL)); > sparsehash-2.0.2 srand(r); // keep compiler from optimizing away r (we never call rand()) > sparsehash-2.0.2 srand(9); > sparsehash-2.0.2 srand(r); // keep compiler from optimizing away r (we never call rand()) > sparsehash-2.0.2 srand(r); // keep compiler from optimizing away r (we never call rand()) > speex-1.2rc1 srand(time(NULL)); > strigi-0.7.7pl1 srand((unsigned int)time(NULL)); > sunclock-3.56-no_maps srandom(Context->time); > sysbench-0.4.8 srandom(time(NULL)); > tap-plugins-0.7.1 srand(time(0)); > teknap-1.3g srand((unsigned)time(NULL)); > teknap-1.3g $srand($time()) a very large seed > timidity-2.13.2 srand(time(NULL)); > timidity-2.13.2 srand(time(NULL)); > timidity-2.13.2 srand(time(NULL)); > timidity-2.13.2 srand(time(NULL)); > tla-1.2 srandom (time (0)); > tla-1.2 srandom (time (0)); > tracker-5.3 srand(time(0)); > tracker-5.3 srand(time(0)); > tremor-tools-1.0 srand(time(NULL)); > tremor-tools-1.0 srandom(time(NULL)); > tremor-tools-1.0 srand(time(NULL)); > virtuoso-6.1.6 srand((double) microtime() * 1000000); > virtuoso-6.1.6 srand ((unsigned int) time(NULL)); > virtuoso-6.1.6 srand ((unsigned) time (NULL)); > virtuoso-6.1.6 srand ((unsigned int) (((time_now >> 32) ^ time_now) & 0xffffffff)); > virtuoso-6.1.6 srand((unsigned)(time(NULL) ^ ZCR_SEED2)); > vorbis-tools-1.4.0 srandom(time(NULL)); > vorbis-tools-1.4.0 srand(time(NULL) ^ getpid()); > vorbis-tools-1.4.0 srand(time(NULL) ^ getpid()); > wmglobe-1.3 srandom(((int) time(NULL)) + ((int) getpid())); > wmmp3-0.12 srand(time(NULL)); > x3270-3.3.6 srandom(time(NULL)); > xearth-1.1 srandom(((int) time(NULL)) + ((int) getpid())); > xhippo-3.5 srand(time(0)); > xmcd-2.6 srand((unsigned) time(NULL)); > xmcd-2.6 srand((unsigned) time(NULL)); > xmms-1.2.11 srandom(time(NULL)); > xmms2-0.8 srand (time (NULL)); > xulrunner-24.8.0 srand(time(nullptr)); > xulrunner-24.8.0 srand(time(NULL)); > xulrunner-24.8.0 srand(time(NULL)); > xulrunner-24.8.0 srand(time(NULL)); > xulrunner-24.8.0 srand(time(NULL)); > xulrunner-24.8.0 srand((unsigned int)time(NULL)); > xulrunner-24.8.0/mozilla-esr24/security/nss/lib/freebl/mpi/utils/bbsrand.c- seed = time(NULL); > xulrunner-24.8.0 srand((unsigned int)time(NULL)); > xulrunner-24.8.0 srand(seed); > xulrunner-24.8.0 srand(time(NULL) * (unsigned int)pid); > xulrunner-24.8.0 srand(time(NULL)); > xulrunner-24.8.0 srand((unsigned int)time(NULL)); > xulrunner-24.8.0 srand(static_cast<uint32_t>(time(NULL))); > xulrunner-24.8.0 srand(time(0)); > xulrunner-24.8.0 srand( (unsigned)time( NULL ) ); /* seed random number generator */ > xulrunner-24.8.0 srand(time(0)); > xulrunner-24.8.0 srandom((int)[[NSDate date] timeIntervalSince1970]); > xulrunner-24.8.0 srand(time(NULL)); > xulrunner-24.8.0 srand(time(0)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); > xulrunner-24.8.0 srandom(time(NULL)); \ > xulrunner-24.8.0 srandom(time(NULL)); \ > xulrunner-24.8.0 srandom(time(NULL)); \ > xulrunner-24.8.0 srandom(time(NULL)); \ > xulrunner-24.8.0 srandom(time(NULL)); \ > xulrunner-24.8.0 srand((unsigned int) time(NULL)); > xulrunner-24.8.0 srand((unsigned int) time(NULL)); > xulrunner-24.8.0 srand((unsigned int)time(NULL) ); > xulrunner-24.8.0 srand((unsigned int)time(NULL)); > xulrunner-24.8.0 srand((unsigned int)time(NULL)); > xulrunner-24.8.0 srand(time(NULL) ); > xulrunner-24.8.0 srand(time(NULL)); > xulrunner-24.8.0 srand(time(NULL)); > xulrunner-24.8.0 srand(timeGetTime()); > xulrunner-24.8.0 cpr_srand((unsigned int)time(NULL)); > xulrunner-24.8.0 cpr_srand((unsigned int)time(NULL)); > xulrunner-24.8.0 cpr_srand((unsigned int)time(NULL)); > zip-3.0 standard UNIX C runtime library functions: time(), rand(), srand(). > zip-3.0 srand((unsigned)time(NULL) ^ ZCR_SEED2);
I'll take care of Clementine, Virtuoso and KDE stuff. Thank you for detailed list. -- Vadim Zhukov