[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] KDE Paste Applet
From:       Michael Samuel <mik () miknet ! net>
Date:       2013-06-13 0:02:38
Message-ID: CACYkhxjGw6DC1+OBMcTid6S2dAFe5JuZC2LQ-+_XGYERRVU2eg () mail ! gmail ! com
[Download RAW message or body]


Ok, so the fix for this uses KRandom::random()...

I suggest leaving the KDE Paste fix as-is and replacing KRandom with
something that just fills an integer from /dev/urandom - then we can save a
few CVE numbers for the rest of the year.

qrand() should probably also do the same, especially since cnonces for HTTP
auth are using it - that means there's only 2^32 (at best) possible
cnonces...

Regards,
  Michael


On 31 May 2013 22:43, Jeff Mitchell <mitchell@kde.org> wrote:

> Michael Samuel wrote:
> 
> > Is anyone from KDE working on fixing this?  I wrote a quick patch and
> > was hoping somebody from the KDE team could vet and incorporate it.
> > 
> 
> Actually sending the patch to the thread you started at security@kde.orgwould \
> probably help grease wheels... 
> --Jeff
> 
> 



[prev in list] [next in list] [prev in thread] [next in thread]