diff options
Diffstat (limited to '')
-rw-r--r-- | kde/patch/kdeplasma-addons.patch | 2 | ||||
-rw-r--r-- | kde/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch | 76 | ||||
-rw-r--r-- | kde/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch.gz | bin | 945 -> 0 bytes |
3 files changed, 77 insertions, 1 deletions
diff --git a/kde/patch/kdeplasma-addons.patch b/kde/patch/kdeplasma-addons.patch index 3512d84..8c997b2 100644 --- a/kde/patch/kdeplasma-addons.patch +++ b/kde/patch/kdeplasma-addons.patch @@ -1,4 +1,4 @@ # CVE 2013-2120: paste widget "password" generator uses insecure randomness: # Fixed in KDE 4.11. -#zcat $CWD/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch.gz | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; } +#cat $CWD/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch | patch -p1 --verbose || { touch ${SLACK_KDE_BUILD_DIR}/${PKGNAME}.failed ; continue ; } diff --git a/kde/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch b/kde/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch new file mode 100644 index 0000000..7a394a5 --- /dev/null +++ b/kde/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch @@ -0,0 +1,76 @@ +From: Aaron Seigo <aseigo@kde.org> +Date: Mon, 03 Jun 2013 17:16:32 +0000 +Subject: use KRandom, avoid modulo bias +X-Git-Url: http://quickgit.kde.org/?p=kdeplasma-addons.git&a=commitdiff&h=36a1fe49cb70f717c4a6e9eeee2c9186503a8dce +--- +use KRandom, avoid modulo bias +--- + + +--- a/applets/paste/pastemacroexpander.cpp ++++ b/applets/paste/pastemacroexpander.cpp +@@ -27,6 +27,7 @@ + #include <KDebug> + #include <KLocale> + #include <KMessageBox> ++#include <KRandom> + + class PasteMacroExpanderSingleton + { +@@ -142,35 +143,49 @@ + << "01234567890" + << "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"; + +- int charCount; ++ int charCount = 8; + QString chars; + QString result; + + if (a.count() > 0) { +- charCount = qMax(a[0].trimmed().toInt(), 1); +- } else { +- charCount = 8; ++ charCount = qMax(a[0].trimmed().toInt(), 8); + } ++ + if (a.count() < 2) { + chars = characterSets.join(""); + } ++ + if (a.count() > 1) { + chars += (a[1].trimmed() == "true") ? characterSets[0] : ""; + } ++ + if (a.count() > 2) { + chars += (a[2].trimmed() == "true") ? characterSets[1] : ""; + } ++ + if (a.count() > 3) { + chars += (a[3].trimmed() == "true") ? characterSets[2] : ""; + } ++ + if (a.count() > 4) { + chars += (a[4].trimmed() == "true") ? characterSets[3] : ""; + } + +- QDateTime now = QDateTime::currentDateTime(); +- qsrand(now.toTime_t() / now.time().msec()); ++ const int setSize = chars.count(); ++ const int top = (RAND_MAX / setSize) * setSize; ++ kDebug() << "topping out at " << setSize << RAND_MAX << top; + for (int i = 0; i < charCount; ++i) { +- result += chars[qrand() % chars.count()]; ++ // to prevent modulo bias, discard random numbers at the ++ // 'top end' of INT_MAX ++ int rand = -1; ++ do { ++ if (rand > 0) { ++ kDebug() << "Ha!" << rand; ++ } ++ rand = KRandom::random(); ++ } while (rand >= top); ++ ++ result += chars[rand % setSize]; + } + //kDebug() << result; + return result; diff --git a/kde/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch.gz b/kde/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch.gz Binary files differdeleted file mode 100644 index a6f723a..0000000 --- a/kde/patch/kdeplasma-addons/random_generator_cve-2013-2120.patch.gz +++ /dev/null |