[Pkg-javascript-devel] Bug#1104246: Bug#1104246: node-formidable proposed fix
Jérémy Lal
kapouer at melix.org
Thu Jul 24 10:39:09 BST 2025
Le lun. 21 juil. 2025 à 15:31, Yadd <yadd at debian.org> a écrit :
> Hi,
>
> upstream chose to add a new dependency to fix CVE-2025-46653. However I
> think using "crypto" module is enough to fix this potential lack of
> randomness.
> Since Trixie has been frozen, I propose this little patch to fix the
> issue without changing source (adding a component).
>
> The proposed patch:
> - replaces hexoid (which uses Math.random) by built-in module "crypto"
> - increase id length from 25 characters to 40
>
> If you think it's OK to fix the issue, I'll upload and put a unblock BTS.
>
Sorry for the late reply.
There are two issues with this patch:
- it doesn't generate a HEX string, while hexoid does
- it could be much simpler
function genIdTwo(len = 40) {
return crypto.randomBytes(Math.ceil(len / 2)).toString('hex').slice(0,
len);
}
Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250724/44917099/attachment.htm>
More information about the Pkg-javascript-devel
mailing list