Hello release folks! Hereby I am kindly requesting to unblock libuser-simple-perl 1.42 (testing has 1.40 now), though I am not a maintainer of this package. 1.42 already has needed 10 days in unstable. Diff contains one-character built-in documentation fix and the fix for important security flaw [1]. It would be good to have it in Lenny. Diff is very small and attached for convenience. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508312 -- Eugene V. Lyubimkin aka JackYF, JID: jackyf.devel(maildog)gmail.com Ukrainian C++ developer, Debian Maintainer, APT contributor
--- Simple.pm 2008-06-28 20:18:03.000000000 +0300
+++ /usr/share/perl5/User/Simple.pm 2008-12-11 01:56:05.000000000 +0200
@@ -79,7 +79,7 @@
Once the object is created, we can ask it to verify that a given user is
valid, either by checking against a session string or against a login/password
-pair::
+pair:
$ok = $usr->ck_session($session);
$ok = $usr->ck_login($login, $passwd, [$no_sess]);
@@ -171,7 +171,7 @@
use UNIVERSAL qw(isa);
our $AUTOLOAD;
-our $VERSION = '1.40';
+our $VERSION = '1.42';
######################################################################
# Constructor/destructor
@@ -306,9 +306,10 @@
$self->_debug(3, "Not touching session");
} else {
+ my $salt = _session_salt();
unless ($sth = $self->{db}->prepare("UPDATE $self->{tbl} SET
session = ? WHERE id = ?") and
- $sth->execute(md5_hex(join('-', Today_and_Now)), $id)) {
+ $sth->execute(md5_hex(join('-', $salt, Today_and_Now)), $id)) {
$self->_debug(1,'Could not create user session');
return undef;
}
@@ -516,4 +517,11 @@
}
}
+# Generates a random, printable (ASCII 46-126), 10 character long salt
+# to mix in the session generation.
+sub _session_salt {
+ join("", map { chr(rand()*78 + 46) } (0..10))
+}
+
+
1;
Attachment:
signature.asc
Description: OpenPGP digital signature