Hello,
Le dimanche 17 mai 2009 à 20:23 +0000, The Fungi a écrit :
> Apologies--my previous message included a broken patch from an
> earlier attempt rather than the current one. Here is what I'm
> presently using on my sytems:
First, thanks for sending this patch, which is for now the only possible
fix I have seen for this issue.
Unfortunately, the upstream author hasn't answered to any of the
numerous mail he has received regarding this security issue, I think
however it is now urgent to fix the Debian package.
> --- /usr/share/ajaxterm/ajaxterm.js 2009-02-17 13:40:43.000000000 +0000
> +++ ajaxterm.js 2009-05-17 20:15:16.000000000 +0000
> @@ -3,7 +3,16 @@
> var ie=0;
> if(window.ActiveXObject)
> ie=1;
> - var sid=""+Math.round(Math.random()*1000000000);
> +
> + // mitigate CVE-2009-1629
> + var sid_arr = (
> + "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
> + ).split("");
> + var sid = "";
> + for (sid_inc = 0 ; sid_inc < 9 ; sid_inc++){
> + sid += sid_arr[Math.floor(Math.random()*sid_arr.length)];
> + }
> +
> var query0="s="+sid+"&w="+width+"&h="+height;
> var query1=query0+"&c=1&k=";
> var buf="";
I am not a security expert, and I am not sure to understand how your
patch would make ajaxterm really secure. From what I could read,
Math.random() is said to be inherently insecure.
Would the proposed code add sufficient randomisation to guarantee
ajaxterm security?
As said, I am just trying to understand better before applying the patch
and upload this fix to Debian.
Any comment from the Security team would be welcome!
Cheers,
Julien
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
