Comment 1 for bug 1710341

Seems that viruuid.c:virUUIDGenerate tries to use virUUIDGenerateRandomBytes from /dev/urandom in preference to virUUIDGeneratePseudoRandomBytes which uses virRandomBits().

xenial version (1.3.1) does not contain the qemuDomainSecretAESSetup code. zesty (2.5.0) does though it seems to have a similar fallback.

So the most obvious paths may not be a security issue.

In terms of a proper fix... 2.5.0 also has a new virRandomBytes() that opens /dev/urandom to get bytes. Various code paths (as above) seem to use virRandomBits() as a fallback for urandom being unavailable -- so not sure if it makes more sense to attempt to seed virRandomBits with urandom anyway (but fall back) or just convert virMacAddrGenerate to use virRandomBytes. Particularly for a backport fix to trusty/xenial.