The Precise Pangolin has reached end of life, so this bug will not be
fixed for that release
** Changed in: kdeplasma-addons (Ubuntu Precise)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: kdeplasma-addons (Debian)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget "password" generator uses (very) insecure
quantal has seen the end of its life and is no longer receiving any
updates. Marking the quantal task for this ticket as Won't Fix.
** Changed in: kdeplasma-addons (Ubuntu Quantal)
Status: Incomplete = Won't Fix
--
You received this bug notification because you are a member of Ubuntu
raring has seen the end of its life and is no longer receiving any
updates. Marking the raring task for this ticket as Won't Fix.
** Changed in: kdeplasma-addons (Ubuntu Raring)
Status: Incomplete = Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs,
This issue has been rated low by the security team, so a fix for this
issue will be bundled in the next security update that contains a
medium or higher.
Unsubscribing sponsors for now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Is there any progress on this?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget password generator uses (very) insecure randomness
To manage notifications about this bug
Last thing I heard was on oss-sec list:
Please use CVE-2013-2213 for KDE KRandom::random() CWE-334: Small
Space of Random Values.
So I guess patching KRandom to use qca::random (either using TLS or a
lock) would be the easy fix that would let people sleep at night.
** CVE added:
Yeah, that commit's wrong, unless they're assuming KRandom is a secure
PRNG, in which case we should assign another CVE and I'll write a patch
for that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Check and make sure there wasn't another change after that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget password generator uses (very) insecure randomness
To manage
I found this:
https://projects.kde.org/projects/kde/kdeplasma-
addons/repository/revisions/0e5cecec402c42fb9ebb77f13d8bacd577da886b
I'm guessing somebody tried to push a commit and it didn't make it?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Mik, what was upstream's response?
** Changed in: kdeplasma-addons (Ubuntu Raring)
Status: In Progress = Incomplete
** Changed in: kdeplasma-addons (Ubuntu Quantal)
Status: In Progress = Incomplete
** Changed in: kdeplasma-addons (Ubuntu Precise)
Status: In Progress =
Upstream haven't responded to me about anything (not even the original
report).
Fedora released the faulty patch - such a waste of bandwidth :(
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
IIRC there was some discussion about this on kde-devel and a change got
committed to git. You might check there.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget password
I can't find the commit - do you know what they changed?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget password generator uses (very) insecure randomness
To manage
On Friday, June 14, 2013 08:00:40 PM you wrote:
I can't find the commit - do you know what they changed?
kdeplasma-addons 36a1fe49cb70f717c4a6e92c9186503a8dce
That's for trunk/4.11. There was a similar commit for 4.10, but I don't know
it's ID.
--
You received this bug notification
** Patch added: kdeplasma-addons_4.9.5-0ubuntu0.2.debdiff
https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+attachment/3694377/+files/kdeplasma-addons_4.9.5-0ubuntu0.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Patch added: kdeplasma-addons_4.8.5-0ubuntu0.2.debdiff
https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+attachment/3694376/+files/kdeplasma-addons_4.8.5-0ubuntu0.2.debdiff
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is
** Patch added: kdeplasma-addons_4.10.3-0ubuntu0.1~ubuntu13.04.1.debdiff
https://bugs.launchpad.net/ubuntu/+source/kdeplasma-addons/+bug/1179380/+attachment/3694378/+files/kdeplasma-addons_4.10.3-0ubuntu0.1%7Eubuntu13.04.1.debdiff
--
You received this bug notification because you are a
** Changed in: kdeplasma-addons (Ubuntu Precise)
Status: Confirmed = In Progress
** Changed in: kdeplasma-addons (Ubuntu Quantal)
Status: Confirmed = In Progress
** Changed in: kdeplasma-addons (Ubuntu Raring)
Status: Confirmed = In Progress
** Changed in: kdeplasma-addons
That patch is wrong - KRandom only takes an int as seed, which is
trivial to replay. (And it falls back to srand(time(NULL)) - not a good
thing, for example if an apparmor policy accidentally blocked
/dev/urandom)
QCA::Random is what you're after.
--
You received this bug notification because
... Although it seems like fixing KRandom to just fill an integer from
/dev/urandom would be a win ...
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdeplasma-addons in Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget
Mik,
Could you please communicate with upstream that you consider their patch
to be wrong?
Thanks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget password generator
Riddell,
Could you please add bb6d0ecb9f842de7bc16fa2eeed7a76662bd5752 to the
debdiff also.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget password generator uses (very)
This bug was fixed in the package kdeplasma-addons - 4:4.10.3-0ubuntu3
---
kdeplasma-addons (4:4.10.3-0ubuntu3) saucy; urgency=low
* Add kubuntu_02_random_password_generator.diff from upstream
fixes paste widget password generator uses insecure randomness
LP: #1179380
--
now fixed upstream as bug 36a1fe49cb70f717c4a6e92c9186503a8dce
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget password generator uses (very) insecure randomness
To
** Bug watch added: Debian Bug tracker #710497
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710497
** Also affects: kdeplasma-addons (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710497
Importance: Unknown
Status: Unknown
** Also affects: kdeplasma-addons
** Changed in: kdeplasma-addons (Ubuntu Precise)
Status: New = Confirmed
** Changed in: kdeplasma-addons (Ubuntu Quantal)
Status: New = Confirmed
** Changed in: kdeplasma-addons (Ubuntu Raring)
Status: New = Confirmed
** Changed in: kdeplasma-addons (Ubuntu Saucy)
** Changed in: kdeplasma-addons (Debian)
Status: Unknown = New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1179380
Title:
paste widget password generator uses (very) insecure randomness
** Information type changed from Private Security to Public Security
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2120
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdeplasma-addons in Ubuntu.
29 matches
Mail list logo