zoutianyu / ziparchive

Automatically exported from code.google.com/p/ziparchive
0 stars 0 forks source link

Insufficient Entropy (CWE ID 331) #40

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Hi,

When I am using your lib (code) in my project and preform VeraCode scan for 
security testing then found many flaws. One of the common flaw is "Insufficient 
Entropy (CWE ID 331)".

This flaw comes in class: crypt.h on line no: 113 and 118.

Code is below:

    if (++calls == 1)
    {
        srand((unsigned)(time(NULL) ^ ZCR_SEED2));
    }
    init_keys(passwd, pkeys, pcrc_32_tab);
    for (n = 0; n < RAND_HEAD_LEN-2; n++)
    {
        c = (rand() >> 7) & 0xff;
        header[n] = (unsigned char)zencode(pkeys, pcrc_32_tab, c, t);
    }

Please update me if any resolution is available for security flaws or suggest 
me if any correction is required.

Thanks in Advance.

Original issue reported on code.google.com by shivanig...@gmail.com on 7 Apr 2015 at 11:16