Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy

Sat, 16 Feb 2013 23:39:14 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/17/2013 01:19 AM, Jonathan Wiltshire wrote:
> It's traditional to seek approval *before* uploading; more so in this case 
> since adding a
patch system is a no-no. The change itself is fine, please upload with this 
only. You will
have to bump the version number IIRC.

OK, attached is the resulting debdiff.

On a sidenote, you might consider updating the following page to make it 
cristal clear, as
I obviously did not get the message:

http://release.debian.org/wheezy/freeze_policy.html

Rule #1: "Changing patch systems" => "Adding or changing patch systems"

Rule #2: "If in doubt, first contact the release team" => "Always contact the 
release team
first"

Thanks,
Jeremy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlEgiHgACgkQ4mJJZqJp2SeURwCfehij0NsJR5BO10rIP32pYjqe
On0AnixhAivkdmHVHj82URcWnnCdzTzg
=8wEX
-----END PGP SIGNATURE-----


diff -u pyrad-1.2/debian/changelog pyrad-1.2/debian/changelog
--- pyrad-1.2/debian/changelog
+++ pyrad-1.2/debian/changelog
@@ -1,3 +1,10 @@
+pyrad (1.2-1+deb7u2) testing-proposed-updates; urgency=high
+
+  * Use a better random number generator to prevent predictable password
+    hashing and packet IDs (CVE-2013-0294, Closes: #700669).
+
+ -- Jeremy Lainé <jeremy.la...@m4x.org>  Sun, 17 Feb 2013 08:21:08 +0100
+
 pyrad (1.2-1) unstable; urgency=low
 
   * New upstream release (Closes: #532843).
only in patch2:
unchanged:
--- pyrad-1.2.orig/pyrad/packet.py
+++ pyrad-1.2/pyrad/packet.py
@@ -31,8 +31,11 @@
 CoAACK          = 44
 CoANAK          = 45
 
+# Use cryptographic-safe random generator as provided by the OS.
+random_generator = random.SystemRandom()
+
 # Current ID
-CurrentID       = random.randrange(1, 255)
+CurrentID       = random_generator.randrange(1, 255)
 
 class PacketError(Exception):
     pass
@@ -219,7 +222,7 @@
 
         data=""
         for i in range(16):
-            data+=chr(random.randrange(0,256))
+            data+=chr(random_generator.randrange(0, 256))
 
         return data
     CreateAuthenticator=staticmethod(CreateAuthenticator)
@@ -234,7 +237,7 @@
         :rtype:  integer
 
         """
-        return random.randrange(0,256)
+        return random_generator.randrange(0, 256)
 
 
     def ReplyPacket(self):

Reply via email to