[3.5] libxdmcp: weak entropy usage for session keys (CVE-2017-2625)

In the absence of arc4random(), xdmcp session keys are generated based
on getpid() and time(), which may allow a local attacker to brute-force
the key.

Affected Version:

1.1.2 and lower

References:

https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2017-2625

(from redmine: issue id 6970, created on 2017-03-07, closed on 2019-03-19)

• Relations:
  • parent #6968 (closed)