libICE depends on arc4random() as well to generate the session cookies, thereby falling back to the same weak mechanism as libXdmcp (bug 611352).
We will have to check, most Gentoo architectures shouldn't be affected due to > elibc_glibc? ( dev-libs/libbsd )
libICE-1.0.9-r1 depends on libbsd, but it is not stabilized yet. We will need to do that.
Stabilization will be handled in bug 611056.
Vulnerable versions dropped: commit 8bd3d32950f98d616d97c0df66a841eb5c6f7f0c Author: Matt Turner <mattst88@gentoo.org> Date: Thu Mar 16 09:11:52 2017 -0700 x11-libs/libICE: Drop vulnerable versions. Bug: https://bugs.gentoo.org/611354
New GLSA request filed.
This issue was resolved and addressed in GLSA 201704-03 at https://security.gentoo.org/glsa/201704-03 by GLSA coordinator Kristian Fiskerstrand (K_F).