[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: kdeplasma-addons (Ubuntu Precise) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Changed in: kdeplasma-addons (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
raring has seen the end of its life and is no longer receiving any updates. Marking the raring task for this ticket as "Won't Fix". ** Changed in: kdeplasma-addons (Ubuntu Raring) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix". ** Changed in: kdeplasma-addons (Ubuntu Quantal) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
This issue has been rated "low" by the security team, so a fix for this issue will be bundled in the next security update that contains a "medium" or higher. Unsubscribing sponsors for now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
Last thing I heard was on oss-sec list: Please use CVE-2013-2213 for KDE KRandom::random() CWE-334: Small Space of Random Values. So I guess patching KRandom to use qca::random (either using TLS or a lock) would be the easy fix that would let people sleep at night. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2213 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
Is there any progress on this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
I found this: https://projects.kde.org/projects/kde/kdeplasma- addons/repository/revisions/0e5cecec402c42fb9ebb77f13d8bacd577da886b I'm guessing somebody tried to push a commit and it didn't make it? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
Check and make sure there wasn't another change after that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
Yeah, that commit's wrong, unless they're assuming KRandom is a secure PRNG, in which case we should assign another CVE and I'll write a patch for that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
On Friday, June 14, 2013 08:00:40 PM you wrote: > I can't find the commit - do you know what they changed? kdeplasma-addons 36a1fe49cb70f717c4a6e92c9186503a8dce That's for trunk/4.11. There was a similar commit for 4.10, but I don't know it's ID. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
I can't find the commit - do you know what they changed? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
IIRC there was some discussion about this on kde-devel and a change got committed to git. You might check there. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
Upstream haven't responded to me about anything (not even the original report). Fedora released the faulty patch - such a waste of bandwidth :( -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
Mik, what was upstream's response? ** Changed in: kdeplasma-addons (Ubuntu Raring) Status: In Progress => Incomplete ** Changed in: kdeplasma-addons (Ubuntu Quantal) Status: In Progress => Incomplete ** Changed in: kdeplasma-addons (Ubuntu Precise) Status: In Progress => Incomplete -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdeplasma-addons in Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
This bug was fixed in the package kdeplasma-addons - 4:4.10.3-0ubuntu3 --- kdeplasma-addons (4:4.10.3-0ubuntu3) saucy; urgency=low * Add kubuntu_02_random_password_generator.diff from upstream fixes paste widget password generator uses insecure randomness LP: #1179380 -- Jonathan RiddellTue, 04 Jun 2013 11:51:38 +0100 ** Changed in: kdeplasma-addons (Ubuntu Saucy) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
Riddell, Could you please add bb6d0ecb9f842de7bc16fa2eeed7a76662bd5752 to the debdiff also. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
Mik, Could you please communicate with upstream that you consider their patch to be wrong? Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
... Although it seems like fixing KRandom to just fill an integer from /dev/urandom would be a win ... -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdeplasma-addons in Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
That patch is wrong - KRandom only takes an int as seed, which is trivial to replay. (And it falls back to srand(time(NULL)) - not a good thing, for example if an apparmor policy accidentally blocked /dev/urandom) QCA::Random is what you're after. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Changed in: kdeplasma-addons (Ubuntu Precise) Status: Confirmed => In Progress ** Changed in: kdeplasma-addons (Ubuntu Quantal) Status: Confirmed => In Progress ** Changed in: kdeplasma-addons (Ubuntu Raring) Status: Confirmed => In Progress ** Changed in: kdeplasma-addons (Ubuntu Saucy) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Patch added: "kdeplasma-addons_4.10.3-0ubuntu0.1~ubuntu13.04.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+attachment/3694378/+files/kdeplasma-addons_4.10.3-0ubuntu0.1%7Eubuntu13.04.1.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdeplasma-addons in Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Patch added: "kdeplasma-addons_4.9.5-0ubuntu0.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+attachment/3694377/+files/kdeplasma-addons_4.9.5-0ubuntu0.2.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Patch added: "kdeplasma-addons_4.8.5-0ubuntu0.2.debdiff" https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+attachment/3694376/+files/kdeplasma-addons_4.8.5-0ubuntu0.2.debdiff -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdeplasma-addons in Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
now fixed upstream as bug 36a1fe49cb70f717c4a6e92c9186503a8dce -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Changed in: kdeplasma-addons (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Changed in: kdeplasma-addons (Ubuntu Precise) Status: New => Confirmed ** Changed in: kdeplasma-addons (Ubuntu Quantal) Status: New => Confirmed ** Changed in: kdeplasma-addons (Ubuntu Raring) Status: New => Confirmed ** Changed in: kdeplasma-addons (Ubuntu Saucy) Status: New => Confirmed ** Changed in: kdeplasma-addons (Ubuntu Precise) Importance: Undecided => Low ** Changed in: kdeplasma-addons (Ubuntu Quantal) Importance: Undecided => Low ** Changed in: kdeplasma-addons (Ubuntu Raring) Importance: Undecided => Low ** Changed in: kdeplasma-addons (Ubuntu Saucy) Importance: Undecided => Low -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdeplasma-addons in Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Bug watch added: Debian Bug tracker #710497 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710497 ** Also affects: kdeplasma-addons (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710497 Importance: Unknown Status: Unknown ** Also affects: kdeplasma-addons (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: kdeplasma-addons (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: kdeplasma-addons (Ubuntu Raring) Importance: Undecided Status: New ** Also affects: kdeplasma-addons (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: kdeplasma-addons (Ubuntu Saucy) Importance: Undecided Status: New ** Changed in: kdeplasma-addons (Ubuntu Lucid) Status: New => Won't Fix -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdeplasma-addons in Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs
[Bug 1179380] Re: paste widget "password" generator uses (very) insecure randomness
** Information type changed from Private Security to Public Security ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2120 -- You received this bug notification because you are a member of Kubuntu Bugs, which is subscribed to kdeplasma-addons in Ubuntu. https://bugs.launchpad.net/bugs/1179380 Title: paste widget "password" generator uses (very) insecure randomness To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+subscriptions -- kubuntu-bugs mailing list kubuntu-b...@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kubuntu-bugs