[Pkg-erlang-commits] r1452 - in yaws/branches/stable/debian: . patches

Sun Jun 24 08:38:34 UTC 2012

Author: sgolovan
Date: 2012-06-24 08:38:34 +0000 (Sun, 24 Jun 2012)
New Revision: 1452

Added:
   yaws/branches/stable/debian/patches/mail.diff
   yaws/branches/stable/debian/patches/random.diff
Modified:
   yaws/branches/stable/debian/changelog
   yaws/branches/stable/debian/patches/series
Log:
[yaws-stable]
  * Added a patch which fixes insufficient random numbers generator strength.
  * Fixed a grave bug with config loading in YAWS mail application.


Modified: yaws/branches/stable/debian/changelog
===================================================================

--- yaws/branches/stable/debian/changelog	2012-06-21 16:23:23 UTC (rev 1451)
+++ yaws/branches/stable/debian/changelog	2012-06-24 08:38:34 UTC (rev 1452)
@@ -1,3 +1,10 @@
+yaws (1.88-2+squeeze1) stable-security; urgency=low
+
+  * Added a patch which fixes insufficient random numbers generator strength.
+  * Fixed a grave bug with config loading in YAWS mail application.
+
+ -- Sergei Golovan <sgolovan at debian.org>  Sun, 24 Jun 2012 12:36:19 +0400
+
 yaws (1.88-2) unstable; urgency=low
 
   * Split out Yaws application to a separate package erlang-yaws, which

Added: yaws/branches/stable/debian/patches/mail.diff
===================================================================
--- yaws/branches/stable/debian/patches/mail.diff	                        (rev 0)
+++ yaws/branches/stable/debian/patches/mail.diff	2012-06-24 08:38:34 UTC (rev 1452)
@@ -0,0 +1,26 @@
+Author: Sergei Golovan
+Description: Patch fixes the YAWS mail application config loading.
+Last-modified:Sun, 24 Jun 2012 12:08:14 +0400
+
+--- yaws-1.88.orig/applications/mail/src/mail.erl
++++ yaws-1.88/applications/mail/src/mail.erl
+@@ -2603,7 +2603,7 @@
+     Cfg;
+ read_config(FD, Cfg, Lno, Chars) ->
+     Next = io:get_line(FD, ''),
+-    case yaws_config:toks(Chars) of
++    case yaws_config:toks(Lno, Chars) of
+         [] ->
+             read_config(FD, Cfg, Lno+1, Next);
+         ["ttl", '=', IntList] ->
+--- yaws-1.88.orig/src/yaws_config.erl
++++ yaws-1.88/src/yaws_config.erl
+@@ -25,7 +25,7 @@
+          update_sconf/2, delete_sconf/2,
+          eq_sconfs/2, soft_setconf/4, hard_setconf/2,
+          can_hard_gc/2, can_soft_setconf/4,
+-         can_soft_gc/2, verify_upgrade_args/2]).
++         can_soft_gc/2, verify_upgrade_args/2, toks/2]).
+ 
+ %% where to look for yaws.conf 
+ paths() ->

Added: yaws/branches/stable/debian/patches/random.diff
===================================================================
--- yaws/branches/stable/debian/patches/random.diff	                        (rev 0)
+++ yaws/branches/stable/debian/patches/random.diff	2012-06-24 08:38:34 UTC (rev 1452)
@@ -0,0 +1,132 @@
+Author: Upstream & Sergei Golovan
+Description: Patch replaces random:uniform/1 calls by crypto:rand_bytes/1
+ which is more secure.
+Last-modified: Sun, 24 Jun 2012 12:36:11 +0400
+
+--- yaws-1.88.orig/applications/mail/src/smtp.erl
++++ yaws-1.88/applications/mail/src/smtp.erl
+@@ -88,7 +88,10 @@
+     lists:flatten(
+       io_lib:format("~s_~2.2.0w_~s_~w_~2.2.0w:~2.2.0w:~2.2.0w_~w",
+                     [weekday(Y,Mo,D), D, int_to_mt(Mo),
+-                     Y,H,M,S,random:uniform(5000)])).
++                     Y,H,M,S,bin2int(crypto:rand_bytes(4))])).
++
++bin2int(Bin) ->
++    lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+ 
+ 
+ smtp_init(Server, From, Recipients) ->
+--- yaws-1.88.orig/applications/mail/src/mail.erl
++++ yaws-1.88/applications/mail/src/mail.erl
+@@ -1053,8 +1053,6 @@
+     end.
+ 
+ session_manager_init() ->
+-    {X,Y,Z} = seed(),
+-    random:seed(X, Y, Z),
+     session_manager([], now(), read_config()).
+ 
+ session_manager(C0, LastGC0, Cfg) ->
+@@ -1078,7 +1076,7 @@
+             end,
+             session_manager(C, LastGC, Cfg);
+         {new_session, Session, From} ->
+-            Cookie = integer_to_list(random:uniform(1 bsl 50)),
++            Cookie = integer_to_list(bin2int(crypto:rand_bytes(16))),
+             From ! {session_manager, Cookie},
+             session_manager([{Cookie, Session#session{cookie=Cookie},
+                               now()}|C], LastGC, Cfg);
+@@ -1219,15 +1217,6 @@
+ diff({M1,S1,_}, {M2,S2,_}) ->
+     (M2-M1)*1000000+(S2-S1).
+ 
+-seed() ->
+-    case (catch list_to_binary(
+-                  os:cmd("dd if=/dev/urandom ibs=12 count=1 2>/dev/null"))) of
+-        <<X:32, Y:32, Z:32>> ->
+-            {X, Y, Z};
+-        _ ->
+-            now()
+-    end.
+-
+ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ 
+ retr(Server, User, Password, Nr) ->
+@@ -1959,7 +1948,10 @@
+     lists:flatten(
+       io_lib:format("~s_~2.2.0w_~s_~w_~2.2.0w:~2.2.0w:~2.2.0w_~w",
+                     [weekday(Y1,Y2,Mo,D), D, int_to_mt(Mo),
+-                     y(Y1,Y2),H,M,S,random:uniform(5000)])).
++                     y(Y1,Y2),H,M,S,bin2int(crypto:rand_bytes(4))])).
++
++bin2int(Bin) ->
++    lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+ 
+ date_and_time_to_string(DAT) ->
+     case validate_date_and_time(DAT) of
+--- yaws-1.88.orig/applications/chat/src/chat.erl
++++ yaws-1.88/applications/chat/src/chat.erl
+@@ -148,7 +148,7 @@
+             end,
+             chat_server(Users);
+         {new_session, User, From} ->
+-            Cookie = integer_to_list(random:uniform(1 bsl 50)),
++            Cookie = integer_to_list(bin2int(crypto:rand_bytes(16))),
+             Session = #user{cookie=Cookie, user=User, color=pick_color()},
+             From ! {session_manager, Cookie, Session},
+             chat_server([Session|Users]);
+@@ -187,6 +187,9 @@
+         5000 ->
+             chat_server(Users)
+     end.
++
++bin2int(Bin) ->
++    lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+ 
+ 
+ %%
+--- yaws-1.88.orig/src/yaws_session_server.erl
++++ yaws-1.88/src/yaws_session_server.erl
+@@ -136,8 +136,6 @@
+ %%          {stop, Reason}
+ %%----------------------------------------------------------------------
+ init([]) ->
+-    {X,Y,Z} = seed(),
+-    random:seed(X, Y, Z),
+     ets:new(?MODULE, [set, named_table, public, {keypos, 2}]),
+     start_long_timer(),
+     {ok, undefined, to()}.
+@@ -154,18 +152,6 @@
+     2 * 60 * 1000.  
+ 
+ 
+-%% pretty good seed, but non portable
+-seed() ->
+-    case (catch list_to_binary(
+-           os:cmd("dd if=/dev/urandom ibs=12 count=1 2>/dev/null"))) of
+-        <<X:32, Y:32, Z:32>> ->
+-            {X, Y, Z};
+-        _ ->
+-            now()
+-    end.
+-
+-
+-
+ %%----------------------------------------------------------------------
+ %% Func: handle_call/3
+ %% Returns: {reply, Reply, State}          |
+@@ -176,9 +162,12 @@
+ %%          {stop, Reason, State}            (terminate/2 is called)
+ %%----------------------------------------------------------------------
+ 
++
++bin2int(Bin) ->
++    lists:foldl(fun(N, Acc) -> Acc * 256 + N end, 0, binary_to_list(Bin)).
+ 
+ handle_call({new_session, Opaque, TTL, Cleanup}, From, State) ->
+-    N = random:uniform(16#ffffffffffffffff), %% 64 bits
++    N = bin2int(crypto:rand_bytes(16)),
+     Cookie = atom_to_list(node()) ++ [$-|integer_to_list(N)],
+     handle_call({new_session, Opaque, TTL, Cleanup, Cookie}, From, State);
+ 

Modified: yaws/branches/stable/debian/patches/series
===================================================================
--- yaws/branches/stable/debian/patches/series	2012-06-21 16:23:23 UTC (rev 1451)
+++ yaws/branches/stable/debian/patches/series	2012-06-24 08:38:34 UTC (rev 1452)
@@ -7,3 +7,5 @@
 man.diff
 ctl.diff
 docs.diff
+random.diff
+mail.diff


