Am 27.04.2016 08:48 schrieb Johannes Huber:
Hi Johannes,
KRandom saw a regression in KCoreAddon's 5.21.0 release, which impacts
a
wide range of applications and use cases. Since the rand() was not
seeded, the numbers generated were predictable, which is ugly in games
and probably alarming for bluetooth pairing.
thanks for the patch. When i read "randon numbers were predictable"
instantly
a alarm bell rings in my head. Is this a security issue?
The docs of rand() state that you should not use it for serious business
like cryptography
http://en.cppreference.com/w/cpp/numeric/random/rand
and the most serious business I could see within KDE was PIN generation
for Bluetooth pairing. But you can never know who is using it for what
outside of the KDE infrastructure.
Since I am neither a core developer (just maintaining a game which was
beaten by the consequences of this issue) nor a crypto guy, I cannot
really assess the severity of such a regression but my first thoughts
were:
- why is there no unit test cathing this?
- should KRandom api doc pass through the note of not using it for
serious business in general?
That's why I CC'ed kde-core-devel.
Regards,
Frederik
