KRandom regression + fix
Frederik Schwarzer
schwarzer at kde.org
Wed Apr 27 10:42:46 BST 2016
Am 27.04.2016 08:48 schrieb Johannes Huber:
Hi Johannes,
>> KRandom saw a regression in KCoreAddon's 5.21.0 release, which impacts
>> a
>> wide range of applications and use cases. Since the rand() was not
>> seeded, the numbers generated were predictable, which is ugly in games
>> and probably alarming for bluetooth pairing.
>
> thanks for the patch. When i read "randon numbers were predictable"
> instantly
> a alarm bell rings in my head. Is this a security issue?
The docs of rand() state that you should not use it for serious business
like cryptography
http://en.cppreference.com/w/cpp/numeric/random/rand
and the most serious business I could see within KDE was PIN generation
for Bluetooth pairing. But you can never know who is using it for what
outside of the KDE infrastructure.
Since I am neither a core developer (just maintaining a game which was
beaten by the consequences of this issue) nor a crypto guy, I cannot
really assess the severity of such a regression but my first thoughts
were:
- why is there no unit test cathing this?
- should KRandom api doc pass through the note of not using it for
serious business in general?
That's why I CC'ed kde-core-devel.
Regards,
Frederik
More information about the kde-core-devel
mailing list