[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#678806: pu: package yaws/1.88-2+squeeze1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

Recently, the random number generator predictability was discovered
in yaws_session_server module of YAWS web server (see [1] and [2]).

I'd like to fix this bug in stable (the debdiff is attached).

The change also fixes grave bug in the YAWS mail application (it
currently can't read its config).

[1] http://sourceforge.net/mailarchive/forum.php?thread_name=20120624072521.GA22850%40k2r.org&forum_name=erlyaws-list
[2] http://erlang.org/pipermail/erlang-questions/2012-June/067566.html

-- System Information:
Debian Release: 6.0.5
  APT prefers proposed-updates
  APT policy: (990, 'proposed-updates'), (990, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

diff -u yaws-1.88/debian/changelog yaws-1.88/debian/changelog
--- yaws-1.88/debian/changelog
+++ yaws-1.88/debian/changelog
@@ -1,3 +1,10 @@
+yaws (1.88-2+squeeze1) stable-security; urgency=low
+
+  * Added a patch which fixes insufficient random numbers generator strength.
+  * Fixed a grave bug with config loading in YAWS mail application.
+
+ -- Sergei Golovan <sgolovan@debian.org>  Sun, 24 Jun 2012 12:36:19 +0400
+
 yaws (1.88-2) unstable; urgency=low
 
   * Split out Yaws application to a separate package erlang-yaws, which
diff -u yaws-1.88/debian/patches/series yaws-1.88/debian/patches/series
--- yaws-1.88/debian/patches/series
+++ yaws-1.88/debian/patches/series
@@ -9,0 +10,2 @@
+random.diff
+mail.diff
only in patch2:
unchanged:
--- yaws-1.88.orig/debian/patches/mail.diff
+++ yaws-1.88/debian/patches/mail.diff
@@ -0,0 +1,26 @@
+Author: Sergei Golovan
+Description: Patch fixes the YAWS mail application config loading.
+Last-modified:Sun, 24 Jun 2012 12:08:14 +0400
+
+--- yaws-1.88.orig/applications/mail/src/mail.erl
++++ yaws-1.88/applications/mail/src/mail.erl
+@@ -2603,7 +2603,7 @@
+     Cfg;
+ read_config(FD, Cfg, Lno, Chars) ->
+     Next = io:get_line(FD, ''),
+-    case yaws_config:toks(Chars) of
++    case yaws_config:toks(Lno, Chars) of
+         [] ->
+             read_config(FD, Cfg, Lno+1, Next);
+         ["ttl", '=', IntList] ->
+--- yaws-1.88.orig/src/yaws_config.erl
++++ yaws-1.88/src/yaws_config.erl
+@@ -25,7 +25,7 @@
+          update_sconf/2, delete_sconf/2,
+          eq_sconfs/2, soft_setconf/4, hard_setconf/2,
+          can_hard_gc/2, can_soft_setconf/4,
+-         can_soft_gc/2, verify_upgrade_args/2]).
++         can_soft_gc/2, verify_upgrade_args/2, toks/2]).
+ 
+ %% where to look for yaws.conf 
+ paths() ->
only in patch2:
unchanged:
--- yaws-1.88.orig/debian/patches/random.diff
+++ yaws-1.88/debian/patches/random.diff
@@ -0,0 +1,132 @@
+Author: Upstream & Sergei Golovan
+Description: Patch replaces random:uniform/1 calls by crypto:rand_bytes/1
+ which is more secure.
+Last-modified: Sun, 24 Jun 2012 12:36:11 +0400
+
+--- yaws-1.88.orig/applications/mail/src/smtp.erl
++++ yaws-1.88/applications/mail/src/smtp.erl
+@@ -88,7 +88,10 @@
+     lists:flatten(
+       io_lib:format("~s_~2.2.0w_~s_~w_~2.2.0w:~2.2.0w:~2.2.0w_~w",
+                     [weekday(Y,Mo,D), D, int_to_mt(Mo),
+-                     Y,H,M,S,random:uniform(5000)])).
++                     Y,H,M,S,bin2int(crypto:rand_bytes(4))])).
++
++bin2int(Bin) ->
++    lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+ 
+ 
+ smtp_init(Server, From, Recipients) ->
+--- yaws-1.88.orig/applications/mail/src/mail.erl
++++ yaws-1.88/applications/mail/src/mail.erl
+@@ -1053,8 +1053,6 @@
+     end.
+ 
+ session_manager_init() ->
+-    {X,Y,Z} = seed(),
+-    random:seed(X, Y, Z),
+     session_manager([], now(), read_config()).
+ 
+ session_manager(C0, LastGC0, Cfg) ->
+@@ -1078,7 +1076,7 @@
+             end,
+             session_manager(C, LastGC, Cfg);
+         {new_session, Session, From} ->
+-            Cookie = integer_to_list(random:uniform(1 bsl 50)),
++            Cookie = integer_to_list(bin2int(crypto:rand_bytes(16))),
+             From ! {session_manager, Cookie},
+             session_manager([{Cookie, Session#session{cookie=Cookie},
+                               now()}|C], LastGC, Cfg);
+@@ -1219,15 +1217,6 @@
+ diff({M1,S1,_}, {M2,S2,_}) ->
+     (M2-M1)*1000000+(S2-S1).
+ 
+-seed() ->
+-    case (catch list_to_binary(
+-                  os:cmd("dd if=/dev/urandom ibs=12 count=1 2>/dev/null"))) of
+-        <<X:32, Y:32, Z:32>> ->
+-            {X, Y, Z};
+-        _ ->
+-            now()
+-    end.
+-
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ 
+ retr(Server, User, Password, Nr) ->
+@@ -1959,7 +1948,10 @@
+     lists:flatten(
+       io_lib:format("~s_~2.2.0w_~s_~w_~2.2.0w:~2.2.0w:~2.2.0w_~w",
+                     [weekday(Y1,Y2,Mo,D), D, int_to_mt(Mo),
+-                     y(Y1,Y2),H,M,S,random:uniform(5000)])).
++                     y(Y1,Y2),H,M,S,bin2int(crypto:rand_bytes(4))])).
++
++bin2int(Bin) ->
++    lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+ 
+ date_and_time_to_string(DAT) ->
+     case validate_date_and_time(DAT) of
+--- yaws-1.88.orig/applications/chat/src/chat.erl
++++ yaws-1.88/applications/chat/src/chat.erl
+@@ -148,7 +148,7 @@
+             end,
+             chat_server(Users);
+         {new_session, User, From} ->
+-            Cookie = integer_to_list(random:uniform(1 bsl 50)),
++            Cookie = integer_to_list(bin2int(crypto:rand_bytes(16))),
+             Session = #user{cookie=Cookie, user=User, color=pick_color()},
+             From ! {session_manager, Cookie, Session},
+             chat_server([Session|Users]);
+@@ -187,6 +187,9 @@
+         5000 ->
+             chat_server(Users)
+     end.
++
++bin2int(Bin) ->
++    lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+ 
+ 
+ %%
+--- yaws-1.88.orig/src/yaws_session_server.erl
++++ yaws-1.88/src/yaws_session_server.erl
+@@ -136,8 +136,6 @@
+ %%          {stop, Reason}
+ %%----------------------------------------------------------------------
+ init([]) ->
+-    {X,Y,Z} = seed(),
+-    random:seed(X, Y, Z),
+     ets:new(?MODULE, [set, named_table, public, {keypos, 2}]),
+     start_long_timer(),
+     {ok, undefined, to()}.
+@@ -154,18 +152,6 @@
+     2 * 60 * 1000.  
+ 
+ 
+-%% pretty good seed, but non portable
+-seed() ->
+-    case (catch list_to_binary(
+-           os:cmd("dd if=/dev/urandom ibs=12 count=1 2>/dev/null"))) of
+-        <<X:32, Y:32, Z:32>> ->
+-            {X, Y, Z};
+-        _ ->
+-            now()
+-    end.
+-
+-
+-
+ %%----------------------------------------------------------------------
+ %% Func: handle_call/3
+ %% Returns: {reply, Reply, State}          |
+@@ -176,9 +162,12 @@
+ %%          {stop, Reason, State}            (terminate/2 is called)
+ %%----------------------------------------------------------------------
+ 
++
++bin2int(Bin) ->
++    lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+ 
+ handle_call({new_session, Opaque, TTL, Cleanup}, From, State) ->
+-    N = random:uniform(16#ffffffffffffffff), %% 64 bits
++    N = bin2int(crypto:rand_bytes(16)),
+     Cookie = atom_to_list(node()) ++ [$-|integer_to_list(N)],
+     handle_call({new_session, Opaque, TTL, Cleanup, Cookie}, From, State);
+
Reply to: