<div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le lun. 21 juil. 2025 à 15:31, Yadd <<a href="mailto:yadd@debian.org" target="_blank">yadd@debian.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
upstream chose to add a new dependency to fix CVE-2025-46653. However I <br>
think using "crypto" module is enough to fix this potential lack of <br>
randomness.<br>
Since Trixie has been frozen, I propose this little patch to fix the <br>
issue without changing source (adding a component).<br>
<br>
The proposed patch:<br>
- replaces hexoid (which uses Math.random) by built-in module "crypto"<br>
- increase id length from 25 characters to 40<br>
<br>
If you think it's OK to fix the issue, I'll upload and put a unblock BTS.<br></blockquote><div><br></div><div>Sorry for the late reply.</div><div><br></div><div>There are two issues with this patch:</div><div>- it doesn't generate a HEX string, while hexoid does</div><div>- it could be much simpler</div><div><br></div><div>function genIdTwo(len = 40) {<br> return crypto.randomBytes(Math.ceil(len / 2)).toString('hex').slice(0, len);<br>}</div><div><br></div><div>Jérémy</div></div></div>
</div>