Date: Sun, 16 Feb 2003 22:31:25 -0800 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Kris Kennaway <kris@obsecurity.org> Cc: Tim Robbins <tjr@FreeBSD.ORG>, "Andrey A. Chernov" <ache@FreeBSD.ORG>, current@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libc/stdlib rand.c Message-ID: <20030217063125.GA6292@HAL9000.homeunix.com> In-Reply-To: <20030217060810.GA68835@rot13.obsecurity.org> References: <200302170352.h1H3qawJ062671@repoman.freebsd.org> <20030217045729.GA68471@rot13.obsecurity.org> <20030217164048.A28273@dilbert.robbins.dropbear.id.au> <20030217060810.GA68835@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Kris Kennaway <kris@obsecurity.org>: > On Mon, Feb 17, 2003 at 04:40:48PM +1100, Tim Robbins wrote: > > > I disagree. It's safe to use rand() in games and in certain kinds of > > simulations when you don't care that the distribution isn't quite > > uniform, or when you prefer speed over quality. I don't think rand() > > needs a warning message like gets() &c. because it's not as dangerous. > > The problem is that there are a number of applications that use it > when they should not. I've given examples of two of them, and there > are probably lots of others I haven't noticed. For example, I just > checked, and libICE appears to use rand() for cookie generation. This > is completely bogus, and insecure. > > Note that I was only suggesting this patch be committed to -current > for purposes of finding out what these applications are, and fixing > them as appropriate. Then how about wrapping the warning in an #ifdef, so people who want to find inappropriate uses of rand() can do so for as long as they want, and everyone else who uses -CURRENT is not affected? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030217063125.GA6292>