KRandom regression + fix

Frederik Schwarzer schwarzer at kde.org
Wed Apr 27 10:42:46 BST 2016


Am 27.04.2016 08:48 schrieb Johannes Huber:

Hi Johannes,

>> KRandom saw a regression in KCoreAddon's 5.21.0 release, which impacts 
>> a
>> wide range of applications and use cases. Since the rand() was not
>> seeded, the numbers generated were predictable, which is ugly in games
>> and probably alarming for bluetooth pairing.
> 
> thanks for the patch. When i read "randon numbers were predictable" 
> instantly
> a alarm bell rings in my head. Is this a security issue?

The docs of rand() state that you should not use it for serious business 
like cryptography
http://en.cppreference.com/w/cpp/numeric/random/rand
and the most serious business I could see within KDE was PIN generation 
for Bluetooth pairing. But you can never know who is using it for what 
outside of the KDE infrastructure.

Since I am neither a core developer (just maintaining a game which was 
beaten by the consequences of this issue) nor a crypto guy, I cannot 
really assess the severity of such a regression but my first thoughts 
were:
- why is there no unit test cathing this?
- should KRandom api doc pass through the note of not using it for 
serious business in general?

That's why I CC'ed kde-core-devel.

Regards,
Frederik




More information about the kde-core-devel mailing list