Trolltech Home | Qt4-preview-feedback Home | Recent Threads | All Threads | Author | Date
All threads index page 1

Qt4-preview-feedback Archive, April 2007
4.3 QAuthenticator uses uninitialized rand() - Possibly security problem

• Subject: 4.3 QAuthenticator uses uninitialized rand() - Possibly security problem
• From: "Thiago A. Corrêa" <thiago.correa@xxxxxxxxx>
• Date: Sat, 21 Apr 2007 21:53:10 +0100
• Delivered-to: qt4-preview-feedback@trolltech.com
• Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=p5wcNUxXU935EZv16KQFLZO0hnD3H/nyR+r8Vvd+7Kdco0LRX5LE63EX1Iho5LRBJYBTVep4Ou9Jc2+8bjnoV3YLCsP7pGXwccD3iaDE3yTeR07XlJQCD4RIZpJyn+mOkCzjV4li+pSrrYUdDMbSJJBfZcCmEH/pRQ77hHzT+KM=
• Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=EpYebxFnIIY18gNkrNvEyTsfBn1uB2lNog+jb858Nks7GUDeyxxVjZVi/w0dGGWpa7R5S/eNPk9244lkPffI2jJdGGl1bl2b/nW48xhimy0hDW6df90Hr0ATOCalypWmrofApiWYVMnv24I4dPfqVQCoxqoUVh5FQMbcTTYPP08=
• List-help: <mailto:qt4-preview-feedback-request@trolltech.com?subject=help>
• List-post: <mailto:qt4-preview-feedback@trolltech.com>
• List-subscribe: <mailto:qt4-preview-feedback-request@trolltech.com?subject=subscribe>
• List-unsubscribe: <mailto:qt4-preview-feedback-request@trolltech.com?subject=unsubscribe>
• Resent-from: qt4-preview-feedback@xxxxxxxxxxxxx
• Resent-message-id: <UgVZ_C.A.QrE.5mnKGB@esparsett>
• Resent-sender: qt4-preview-feedback-request@xxxxxxxxxxxxx
• To: qt4-preview-feedback@xxxxxxxxxxxxx

Hi,

   The other day I was browsing thru the sources and I noticed that it
appears QAuthenticator is using rand() instead of qrand() and it's
seed is completely uninitilized, which will give you the same results
across each run, and thus completely predictable numbers in the
authentication algorithm.

Cheers,
   Thiago A. Correa

To unsubscribe - send "unsubscribe" in the subject to qt4-preview-feedback-request@xxxxxxxxxxxxx

• Subject: Re: 4.3 QAuthenticator uses uninitialized rand() - Possibly security problem
• From: Lars Knoll <lars@xxxxxxxxxxxxx>
• Date: Mon, 23 Apr 2007 08:38:30 +0200
• Delivered-to: qt4-preview-feedback@trolltech.com
• List-help: <mailto:qt4-preview-feedback-request@trolltech.com?subject=help>
• List-post: <mailto:qt4-preview-feedback@trolltech.com>
• List-subscribe: <mailto:qt4-preview-feedback-request@trolltech.com?subject=subscribe>
• List-unsubscribe: <mailto:qt4-preview-feedback-request@trolltech.com?subject=unsubscribe>
• Organization: Trolltech
• Resent-from: qt4-preview-feedback@xxxxxxxxxxxxx
• Resent-message-id: <lNULHC.A.ArD.QRFLGB@esparsett>
• Resent-sender: qt4-preview-feedback-request@xxxxxxxxxxxxx
• To: qt4-preview-feedback@xxxxxxxxxxxxx

On Saturday 21 April 2007, Thiago A. Corrêa wrote:
> Hi,
>
>    The other day I was browsing thru the sources and I noticed that it
> appears QAuthenticator is using rand() instead of qrand() and it's
> seed is completely uninitilized, which will give you the same results
> across each run, and thus completely predictable numbers in the
> authentication algorithm.

Fixed. Thanks a lot for spotting that one :)

Cheers,
Lars

>
> Cheers,
>    Thiago A. Correa
>
> To unsubscribe - send "unsubscribe" in the subject to
> qt4-preview-feedback-request@xxxxxxxxxxxxx


To unsubscribe - send "unsubscribe" in the subject to qt4-preview-feedback-request@xxxxxxxxxxxxx