[13670] in bugtraq
Re: Tempfile vulnerabilities
daemon@ATHENA.MIT.EDU (Werner Koch)
Wed Feb 2 16:47:01 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000202092732.A2096@frodo.gnupg.de>
Date: Wed, 2 Feb 2000 09:27:32 +0100
Reply-To: Werner Koch <wk@GNUPG.ORG>
From: Werner Koch <wk@GNUPG.ORG>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200002010455.XAA20677@pace.picante.com>; from
gtaylor+bugtraq_hcdbb013100@PICANTE.COM on Mon, Jan 31,
2000 at 11:55:18PM -0500
On Mon, 31 Jan 2000, Grant Taylor wrote:
> open RAN, "/dev/random" || die;
> read(RAN,$foo,16);
> close RAN;
> $file = '/tmp/autobuse' . unpack('H16',$foo);
Please, never use /dev/random or /dev/urandom for such purposes.
Aside the fact, that it does not help much in what you want to achieve
it is a desaster to system performance because it empties the system's
entropy pool and wastes precious entropy for unneeded things.
Crypto software _really_ needs these random numbers.
--
Werner Koch at guug.de www.gnupg.org keyid 621CC013
Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html
