Bug#828180: zsh: $RANDOM number generator is not reset for subshells

[Ben Longbons]

Package: zsh
Version: 5.2-5
Severity: normal

Dear Maintainer,

Zsh just repeats the same number when $RANDOM is requested in fresh
subshells. In general, this sort of bug is a security vulnerability,
though I'm not aware of anyone doing security-sensitive stuff in zsh.

bash handles this correctly in variables.c by checking
`subshell_environment && seeded_subshell != pid` on every call and
reseeding then; it would also be possible to use `pthread_atfork` (or,
since the forking is entirely within the main executable, just the
manual equivalent at the call site).

See also tests/varenv.sh in the bash source package.

Simple test case:

zsh -c 'for I in {0..9}; do ( echo $RANDOM ); done; echo $RANDOM; for I in 
{0..9}; do ( echo $RANDOM ); done'

-- Package-specific info:

Packages which provide vendor completions:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name              Version                Architecture Description
+++-=================-======================-============-=======================================================
ii  0install-core     2.10-2                 amd64        cross-distribution 
packaging system (non-GUI parts)
ii  cmus              2.7.1+git20160225-1+b1 amd64        lightweight ncurses 
audio player
ii  curl              7.47.0-1               amd64        command line tool for 
transferring data with URL syntax
ii  git-buildpackage  0.7.5                  all          Suite to help with 
Debian packages in Git repositories
ii  mpv               0.14.0-1+b2            amd64        video player based on 
MPlayer/mplayer2
ii  pulseaudio        8.0-2+b2               amd64        PulseAudio sound 
server
ii  reprepro          4.17.1-1               amd64        Debian package 
repository producer
ii  systemd           230-2                  amd64        system and service 
manager
ii  systemd-container 230-2                  amd64        systemd 
container/nspawn tools
ii  systemd-coredump  230-2                  amd64        tools for storing and 
retrieving coredumps
ii  udev              230-2                  amd64        /dev/ and hotplug 
management daemon
ii  vlc-nox           2.2.4-2                amd64        multimedia player and 
streamer (without X support)

dpkg-query: no path found matching pattern /usr/share/zsh/vendor-functions/


-- System Information:
Debian Release: stretch/sid
  APT prefers testing-debug
  APT policy: (600, 'testing-debug'), (600, 'testing'), (500, 
'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, x32

Kernel: Linux 4.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages zsh depends on:
ii  dpkg        1.18.7
ii  libc6       2.22-11
ii  libcap2     1:2.25-1
ii  libtinfo5   6.0+20160319-1
ii  zsh-common  5.2-5

Versions of packages zsh recommends:
ii  libncursesw5  6.0+20160319-1
ii  libpcre3      2:8.38-3.1

Versions of packages zsh suggests:
pn  zsh-doc  <none>

-- no debconf information