Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy

To: Jonathan Wiltshire <jmw@debian.org>, 700669@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
From: Jeremy Lainé <jeremy.laine@m4x.org>
Date: Sun, 17 Feb 2013 08:36:24 +0100
Message-id: <51208878.4000902@m4x.org>
In-reply-to: <20130217001900.GL5321@ernie.home.powdarrmonkey.net>
References: <C20158A7-1D64-492F-A5EE-BB9F6564EE04@m4x.org> <20130217001900.GL5321@ernie.home.powdarrmonkey.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/17/2013 01:19 AM, Jonathan Wiltshire wrote:
> It's traditional to seek approval *before* uploading; more so in this case since adding a
patch system is a no-no. The change itself is fine, please upload with this only. You will
have to bump the version number IIRC.

OK, attached is the resulting debdiff.

On a sidenote, you might consider updating the following page to make it cristal clear, as
I obviously did not get the message:

http://release.debian.org/wheezy/freeze_policy.html

Rule #1: "Changing patch systems" => "Adding or changing patch systems"

Rule #2: "If in doubt, first contact the release team" => "Always contact the release team
first"

Thanks,
Jeremy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlEgiHgACgkQ4mJJZqJp2SeURwCfehij0NsJR5BO10rIP32pYjqe
On0AnixhAivkdmHVHj82URcWnnCdzTzg
=8wEX
-----END PGP SIGNATURE-----

diff -u pyrad-1.2/debian/changelog pyrad-1.2/debian/changelog
--- pyrad-1.2/debian/changelog
+++ pyrad-1.2/debian/changelog
@@ -1,3 +1,10 @@
+pyrad (1.2-1+deb7u2) testing-proposed-updates; urgency=high
+
+  * Use a better random number generator to prevent predictable password
+    hashing and packet IDs (CVE-2013-0294, Closes: #700669).
+
+ -- Jeremy LainÃ© <jeremy.laine@m4x.org>  Sun, 17 Feb 2013 08:21:08 +0100
+
 pyrad (1.2-1) unstable; urgency=low
 
   * New upstream release (Closes: #532843).
only in patch2:
unchanged:
--- pyrad-1.2.orig/pyrad/packet.py
+++ pyrad-1.2/pyrad/packet.py
@@ -31,8 +31,11 @@
 CoAACK          = 44
 CoANAK          = 45
 
+# Use cryptographic-safe random generator as provided by the OS.
+random_generator = random.SystemRandom()
+
 # Current ID
-CurrentID       = random.randrange(1, 255)
+CurrentID       = random_generator.randrange(1, 255)
 
 class PacketError(Exception):
     pass
@@ -219,7 +222,7 @@
 
         data=""
         for i in range(16):
-            data+=chr(random.randrange(0,256))
+            data+=chr(random_generator.randrange(0, 256))
 
         return data
     CreateAuthenticator=staticmethod(CreateAuthenticator)
@@ -234,7 +237,7 @@
         :rtype:  integer
 
         """
-        return random.randrange(0,256)
+        return random_generator.randrange(0, 256)
 
 
     def ReplyPacket(self):

Reply to:

Follow-Ups:
- Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
  - From: Jonathan Wiltshire <jmw@debian.org>

References:
- Allow pyrad 1.2-1+deb7u1 into wheezy
  - From: Jeremy Lainé <jeremy.laine@m4x.org>
- Re: Allow pyrad 1.2-1+deb7u1 into wheezy
  - From: Jonathan Wiltshire <jmw@debian.org>

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
Next by thread: Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
Index(es):
- Date
- Thread