Updating stable Cherokee 1.0.8-5 to avoid a predictable password generation

To: debian-release@lists.debian.org
Subject: Updating stable Cherokee 1.0.8-5 to avoid a predictable password generation
From: Gunnar Wolf <gwolf@gwolf.org>
Date: Wed, 23 Nov 2011 12:35:35 -0600
Message-id: <[🔎] 20111123183535.GA6240@gwolf.org>
Reply-to: gwolf@gwolf.org

Hi,

I have backported the attached patch and will be uploading Cherokee
1.0.8-5+squeeze1. This is in order to address #647205, to which (as
the security impact is very small) the DSA team requested me to
perform the upload to a point release.

I know the instructions state that I should first discuss this in
d-release and only then upload, so (expecting this to be a simple
change), I'm uploading to DELAYED/3.

Please keep me Cc:ed on replies, as I'm not subscribed to the list.

From: Gunnar Wolf <gwolf@debian.org>
Origin: vendor
Forwarded: not-needed
Last-update: 2011-11-23
Bug: #647205
Applied-Upstream: yes
Description: Avoid brute-forceable password in cherokee-admin
 Backported a safer password generation routine from ~ 1.2.98, instead
 of generating from PID+timer

Index: cherokee-1.0.8/cherokee/main_admin.c
===================================================================
--- cherokee-1.0.8.orig/cherokee/main_admin.c	2011-11-23 12:13:19.000000000 -0600
+++ cherokee-1.0.8/cherokee/main_admin.c	2011-11-23 12:17:03.000000000 -0600
@@ -104,10 +104,8 @@
 	cuint_t i;
 	cuint_t n;
 
-	srand(getpid()*time(NULL));
-
 	for (i=0; i<PASSWORD_LEN; i++) {
-		n = rand()%(sizeof(ALPHA_NUM)-1);
+		n = cherokee_random()%(sizeof(ALPHA_NUM)-1);
 		cherokee_buffer_add_char (buf, ALPHA_NUM[n]);
 	}
 
@@ -489,6 +487,11 @@
 #endif
 
 	cherokee_init();
+
+	/* Seed random numbers
+	 */
+	cherokee_random_seed();
+
 	cherokee_spawner_set_active (false);
 	process_parameters (argc, argv);
 
Index: cherokee-1.0.8/cherokee/util.c
===================================================================
--- cherokee-1.0.8.orig/cherokee/util.c	2011-11-23 12:13:19.000000000 -0600
+++ cherokee-1.0.8/cherokee/util.c	2011-11-23 12:16:06.000000000 -0600
@@ -2040,3 +2040,63 @@
 	cherokee_buffer_add (buf, ip_str, strlen(ip_str));
 	return ret_ok;
 }
+
+void
+cherokee_random_seed (void)
+{
+#ifdef HAVE_SRANDOMDEV
+	srandomdev();
+#else
+	int      fd;
+	ssize_t  re;
+	unsigned seed;
+
+	/* Open device
+	 */
+	fd = open("/dev/urandom", O_RDONLY);
+	if (fd == -1) {
+		fd = open("/dev/random", O_RDONLY);
+	}
+
+	/* Read seed
+	 */
+	if (fd != -1) {
+		do {
+			re = read (fd, &seed, sizeof(seed));
+		} while ((re == -1) && (errno == EINTR));
+
+		cherokee_fd_close(fd);
+
+		if (re == sizeof(seed))
+			goto out;
+	}
+
+	/* Home-made seed
+	 */
+	cherokee_bogotime_update();
+
+	seed = cherokee_bogonow_tv.tv_usec;
+	if (cherokee_bogonow_tv.tv_usec & 0xFF)
+		seed *= (cherokee_bogonow_tv.tv_usec & 0xFF);
+
+ out:
+	/* Set the seed
+	 */
+# if HAVE_SRANDOM
+	srandom (seed);
+# else
+	srand (seed);
+# endif
+#endif
+}
+
+
+long
+cherokee_random (void)
+{
+#ifdef HAVE_RANDOM
+	return random();
+#else
+	return rand();
+#endif
+}

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Updating stable Cherokee 1.0.8-5 to avoid a predictable password generation
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#648918: Rebuilds done
Next by Date: Re: adolc source tarball repack
Previous by thread: Bug#648918: Rebuilds done
Next by thread: Re: Updating stable Cherokee 1.0.8-5 to avoid a predictable password generation
Index(es):
- Date
- Thread