There is a function that adds entropy to the pool. This function is called with secure random values in some places, and called with uninitialized memory in other places. The Debian developers commented out the line that actually mixes the buffer into the pool, rather than making the function only get called with initialized values. This took care of the uninitialized memory getting used, but also meant that the secure random numbers didn't get used, either.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds