You catch them immediately with recompiling the source. In fact, this is the test most people do with open source security SW. In many cases binaries are not even provided.
...releasing source code that is different from the one that is used
Of course you cannot catch them immediately. In fact you will not likely to catch them at all.
You will need assembly-level review of the entire application, which is _not_ how "most people" deal with "an open source security SW". Mere binary comparision will yield nothing unless you replicate their build environment bit-to-bit including matching a system time. You will be able to see major blocks of code being added or removed, but - putting your own example to use - you will _not_ detect PRNG initialization done differently in pre-compiled binary.
There is a difference between what you can do and what you actually will do. You can make a detailed review of their code and you can audit assembly of the pre-built binary. But in practice you will not do it, because it's extremely tedious and takes enourmous amount of time. You will likely to assume that since sources are open, their developer must mean no evil. Maybe you will look at the sources, but again this tells you nothing about the binary distro.
Open-sourced or closed-sourced, if you plan to use binaries, analyzing program's output/input is the only real way to establish a trust in it. And this is where 'open spec' comes into a picture. Open source might ease a mild paranoia, but open specs deal with severe one.