Random() is not secure because it provides insufficient entropy. CWE ID 331.

[tdhintz]

Steps to reproduce

1. Static code security scan. Example:

		private static void WriteEncryptionHeader(Stream stream, long crcValue)
		{
			byte[] cryptBuffer = new byte[ZipConstants.CryptoHeaderSize];
			var rnd = new Random();
			rnd.NextBytes(cryptBuffer);
			cryptBuffer[11] = (byte)(crcValue >> 24);
			stream.Write(cryptBuffer, 0, cryptBuffer.Length);
		}

Expected behavior

Replace all uses of System.Random() with a cryptographic version such as that provided by RNGCryptoServiceProvider.

Actual behavior

SharpZipLib fails security scans.

Version of SharpZipLib

1.3.0

Obtained from (only keep the relevant lines)

• Package installed using NuGet

[piksel]

The referenced code is this:

SharpZipLib/src/ICSharpCode.SharpZipLib/Zip/ZipFile.cs

Line 3727 in 716b913

private static void WriteEncryptionHeader(Stream stream, long crcValue)

But the same method is also used in:

SharpZipLib/src/ICSharpCode.SharpZipLib/Zip/ZipOutputStream.cs

Line 629 in 9e02750

private void WriteEncryptionHeader(long crcValue)

[tdhintz]

There are possibly 3 uses of the insecure Random() found throughout the codebase.