commit 047a0fd99e64c554c4edf44cc67ee765b09af017
Author: Marcus Meissner <meissner@suse.de>
Date:   Tue Apr 4 16:27:39 2017 +0200

initialize the random seed

In libxslt 1.1.29 and earlier, the EXSLT math.random function was
not initialized with a random seed during startup, which could
cause usage of this function to produce predictable outputs.

CVE: CVE-2015-9019
Upstream-Status: Backport [https://bug758400.bugzilla-attachments.gnome.org/attachment.cgi?id=349240&action=diff&collapsed=&context=patch&format=raw&headers=1]

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>

diff --git a/libexslt/math.c b/libexslt/math.c
index 6b24dbe0..b7a8d6e1 100644
--- a/libexslt/math.c
+++ b/libexslt/math.c
@@ -23,6 +23,14 @@
 #ifdef HAVE_STDLIB_H
 #include <stdlib.h>
 #endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#include <fcntl.h>
+#ifdef HAVE_TIME_H
+#include <time.h>
+#endif
+
 
 #include "exslt.h"
 
@@ -474,6 +482,20 @@ static double
 exsltMathRandom (void) {
     double ret;
     int num;
+    long seed;
+    static int randinit = 0;
+
+    if (!randinit) {
+	int fd = open("/dev/urandom",O_RDONLY);
+
+	seed = time(NULL); /* just in case /dev/urandom is not there */
+	if (fd == -1) {
+		read (fd, &seed, sizeof(seed));
+		close (fd);
+	}
+	srand(seed);
+	randinit = 1;
+    }
 
     num = rand();
     ret = (double)num / (double)RAND_MAX;