[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] KDE Paste Applet



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/28/2013 05:16 AM, Michael Samuel wrote:
> The paste applet included with kdeplasma-addons allows you to define
> macros that will copy some generated data into the clipboard, using
> simple macros to define the source and format of the data.
> 
> The available macros include %{password(...)} which generates "random"
> passwords.
> 
> Here is the code that generates the passwords (from pastemacroexpander.cpp):
> 
>     QDateTime now = QDateTime::currentDateTime();
>     qsrand(now.toTime_t() / now.time().msec());
>     for (int i = 0; i < charCount; ++i) {
>         result += chars[qrand() % chars.count()];
>     }
> 
> Breaking passwords generated by this (for example from leaked password
> hashes) can be done extremely quickly, especially if a password expiry
> or other hint is stored with the password.
> 
> Workaround: You can change the macro you were using to a %{exec(...)}
> macro which calls a secure password generator.  Please select your
> replacement carefully.
> 
> I reported this to security@xxxxxxx and created a launchpad ticket
> against the Ubuntu package on May 13, followed up with a proof of
> concept on the 17th, and have received no response at all from either.
>  Apologies if that was the wrong contact method.
> 
> Regards,
>   Michael

Nice find. Please use CVE-2013-2120 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRpkHZAAoJEBYNRVNeJnmTZtcP+wdyo+6kfdJq47WO5F9csHmI
vDMFNFRNEjEYgNeD+dQBBB1oEHf/hxi67OJ8cDjZY/x1P4nEj11s/mic1mV6yKw9
0BiPLorquKXRv8s/374T3Fjo4BIHEgWeaaAN0SiaqW5Kwba2t9RXt0RBDs4Lc1R2
1b41BgmvhvZQjxQ0jzffNlaTMntoZdg4DqJh8JQqyHcFbNwFdgjJJVkK4yBPhNYA
8KjBnKJrrfj9VqGy/gYw+iMn0l5FGo8IfTwmfkVJEo0V2NyBvmA0X5CFYX7HPGeK
giKkLZuPQKdC00DSLilLgyoPw6sNKdo1aPZNta+g9fVZt45U75y4SqagsgcDn1HC
+A3XHy9YxanXnW82PSqABBoc/VrI5H2hpKU4y60WNGseHetGAqCv6v1ucpv14++B
Cx9PmYstESnmRGCnNDftG/rQeJlJniw59tusDlV6eJSuxZq11NPBDAhqxjTi4naY
L4wrQZa+xjKlRcmUlfvyTf5Cxhy6gOrEcygBw8OdzEZPy7PN9LLhmK3ZlJk9i0Yu
0hFBUWwDSi0fnMdNlKcfjjKKa3Q5yrMz84sQDU+4trbtoJXHQMsQQJoo5CITdTUZ
uk+L54QPZ82E9Z/0f2RbdtAj+wRPIAKE9Os9wFDd7HcY5LlfV+rMstnRCg69WY4R
buQ4sELAjJndAVU2Kotb
=/83d
-----END PGP SIGNATURE-----