* [gentoo-commits] gentoo-x86 commit in kde-base/kdeplasma-addons/files: kdeplasma-addons-4.10.3-cve-2013-2120.patch
@ 2013-06-04 16:48 Michael Palimaka (kensington)
0 siblings, 0 replies; 2+ messages in thread
From: Michael Palimaka (kensington) @ 2013-06-04 16:48 UTC (permalink / raw
To: gentoo-commits
kensington 13/06/04 16:48:31
Added: kdeplasma-addons-4.10.3-cve-2013-2120.patch
Log:
Backport patch from upstream to fix CVE-2013-2120 wrt bug #471904.
(Portage version: 2.1.12.2/cvs/Linux x86_64, signed Manifest commit with key 675D0D2C)
Revision Changes Path
1.1 kde-base/kdeplasma-addons/files/kdeplasma-addons-4.10.3-cve-2013-2120.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/kde-base/kdeplasma-addons/files/kdeplasma-addons-4.10.3-cve-2013-2120.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/kde-base/kdeplasma-addons/files/kdeplasma-addons-4.10.3-cve-2013-2120.patch?rev=1.1&content-type=text/plain
Index: kdeplasma-addons-4.10.3-cve-2013-2120.patch
===================================================================
From d84015218bf78b707650cf5426ae1a469d37c29d Mon Sep 17 00:00:00 2001
From: Aaron Seigo <aseigo@kde.org>
Date: Mon, 3 Jun 2013 19:16:32 +0200
Subject: [PATCH] use KRandom, avoid modulo bias
---
applets/paste/pastemacroexpander.cpp | 29 ++++++++++++++++++++++-------
1 file changed, 22 insertions(+), 7 deletions(-)
diff --git a/applets/paste/pastemacroexpander.cpp b/applets/paste/pastemacroexpander.cpp
index ea6163f..d0a8b49 100644
--- a/applets/paste/pastemacroexpander.cpp
+++ b/applets/paste/pastemacroexpander.cpp
@@ -27,6 +27,7 @@
#include <KDebug>
#include <KLocale>
#include <KMessageBox>
+#include <KRandom>
class PasteMacroExpanderSingleton
{
@@ -142,35 +143,49 @@ QString PasteMacroExpander::password(const QString& args)
<< "01234567890"
<< "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
- int charCount;
+ int charCount = 8;
QString chars;
QString result;
if (a.count() > 0) {
- charCount = qMax(a[0].trimmed().toInt(), 1);
- } else {
- charCount = 8;
+ charCount = qMax(a[0].trimmed().toInt(), 8);
}
+
if (a.count() < 2) {
chars = characterSets.join("");
}
+
if (a.count() > 1) {
chars += (a[1].trimmed() == "true") ? characterSets[0] : "";
}
+
if (a.count() > 2) {
chars += (a[2].trimmed() == "true") ? characterSets[1] : "";
}
+
if (a.count() > 3) {
chars += (a[3].trimmed() == "true") ? characterSets[2] : "";
}
+
if (a.count() > 4) {
chars += (a[4].trimmed() == "true") ? characterSets[3] : "";
}
- QDateTime now = QDateTime::currentDateTime();
- qsrand(now.toTime_t() / now.time().msec());
+ const int setSize = chars.count();
+ const int top = (RAND_MAX / setSize) * setSize;
+ kDebug() << "topping out at " << setSize << RAND_MAX << top;
for (int i = 0; i < charCount; ++i) {
- result += chars[qrand() % chars.count()];
+ // to prevent modulo bias, discard random numbers at the
+ // 'top end' of INT_MAX
+ int rand = -1;
+ do {
+ if (rand > 0) {
+ kDebug() << "Ha!" << rand;
+ }
+ rand = KRandom::random();
+ } while (rand >= top);
+
+ result += chars[rand % setSize];
}
//kDebug() << result;
return result;
--
1.8.2.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] gentoo-x86 commit in kde-base/kdeplasma-addons/files: kdeplasma-addons-4.10.3-cve-2013-2120.patch
@ 2013-12-14 22:01 Johannes Huber (johu)
0 siblings, 0 replies; 2+ messages in thread
From: Johannes Huber (johu) @ 2013-12-14 22:01 UTC (permalink / raw
To: gentoo-commits
johu 13/12/14 22:01:50
Removed: kdeplasma-addons-4.10.3-cve-2013-2120.patch
Log:
Remove unused patch.
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key F3CFD2BD)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-12-14 22:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-14 22:01 [gentoo-commits] gentoo-x86 commit in kde-base/kdeplasma-addons/files: kdeplasma-addons-4.10.3-cve-2013-2120.patch Johannes Huber (johu)
-- strict thread matches above, loose matches on Subject: below --
2013-06-04 16:48 Michael Palimaka (kensington)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox