|
| From: | Thomas Dickey |
| Subject: | Re: [Lynx-dev] predictable PRNG used |
| Date: | Sun, 5 Jul 2009 13:19:17 -0400 (EDT) |
On Sun, 5 Jul 2009, Michael S. Gilbert wrote:
On Sun, 5 Jul 2009 13:08:38 +0000 (UTC) Thorsten Glaser wrote:If arc4random(3) is available¹, lynx uses it. I sent in a patch for that years ago. Otherwise, there is no good self-seeding SRNG available in the standards, so it will use lrand48(3) instead², with a fallback to rand(3) like everyone else.i'm triaging this issue for linux, and i don't believe that it has an arc4random implementation. so this would mean that lynx is using the very insecure linear congruential algorithm and is thus affected by this issue?
It depends - lynx's configure script looks for these pairs: arc4random_push/arc4randomarc4random_stir/arc4random srandom/random
srand48/lrand48 srand/randOn Debian/testing, it'll use srandom and random, whose manpage says non-linear:
The random() function uses a non-linear additive feedback random number
generator employing a default table of size 31 long integers to return
successive pseudo-random numbers in the range from 0 to RAND_MAX. The
period of this random number generator is very large, approximately
16*((2**31)-1).
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net
| [Prev in Thread] | Current Thread | [Next in Thread] |