From ${URL} : The paste applet included with kdeplasma-addons allows you to define macros that will copy some generated data into the clipboard, using simple macros to define the source and format of the data. The available macros include %{password(...)} which generates "random" passwords. Here is the code that generates the passwords (from pastemacroexpander.cpp): QDateTime now = QDateTime::currentDateTime(); qsrand(now.toTime_t() / now.time().msec()); for (int i = 0; i < charCount; ++i) { result += chars[qrand() % chars.count()]; } Breaking passwords generated by this (for example from leaked password hashes) can be done extremely quickly, especially if a password expiry or other hint is stored with the password. Workaround: You can change the macro you were using to a %{exec(...)} macro which calls a secure password generator. Please select your replacement carefully. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Patched in CVS. It is ready to stabilise at your convenience. + 04 Jun 2013; Michael Palimaka <kensington@gentoo.org> + +files/kdeplasma-addons-4.10.3-cve-2013-2120.patch, + +kdeplasma-addons-4.10.3-r1.ebuild: + Backport patch from upstream to fix CVE-2013-2120 wrt bug #471904.
OK let's get this fixed. Please stabilize kde-base/kdeplasma-addons-4.10.3-r1 amd64 ppc ppc64 x86
amd64 stable
x86 stable
ppc stable
ppc64 stable
Thanks all, kde herd has nothing to do here anymore. + 09 Jun 2013; Johannes Huber <johu@gentoo.org> -kdeplasma-addons-4.10.3.ebuild: + Remove old wrt bug #471904.
According to RedHat "That fix is not much better. KRandom is just rand(), so there's only 2^32 possible seeds.". Thoughts?
(In reply to Michael Palimaka (kensington) from comment #8) > According to RedHat "That fix is not much better. KRandom is just rand(), > so there's only 2^32 possible seeds.". > > Thoughts? This is now tracked in bug #474986 instead.
GLSA vote: no.
GLSA vote: no Closing as noglsa
