Le lun. 21 juil. 2025 à 15:31, Yadd <y...@debian.org> a écrit :
> Hi,
>
> upstream chose to add a new dependency to fix CVE-2025-46653. However I
> think using "crypto" module is enough to fix this potential lack of
> randomness.
> Since Trixie has been frozen, I propose this little patch to fix the
> issue without changing source (adding a component).
>
> The proposed patch:
> - replaces hexoid (which uses Math.random) by built-in module "crypto"
> - increase id length from 25 characters to 40
>
> If you think it's OK to fix the issue, I'll upload and put a unblock BTS.
>
Sorry for the late reply.
There are two issues with this patch:
- it doesn't generate a HEX string, while hexoid does
- it could be much simpler
function genIdTwo(len = 40) {
return crypto.randomBytes(Math.ceil(len / 2)).toString('hex').slice(0,
len);
}
Jérémy
