[Python-modules-commits] r23493 - in packages/pyrad/trunk/debian (5 files)

Sat Feb 16 08:58:44 UTC 2013

Date: Saturday, February 16, 2013 @ 08:58:40
  Author: sharky
Revision: 23493

fix CVE-2013-0294, #700669

Added:
  packages/pyrad/trunk/debian/patches/
  packages/pyrad/trunk/debian/patches/change_random_generator.patch
  packages/pyrad/trunk/debian/patches/series
Modified:
  packages/pyrad/trunk/debian/changelog
  packages/pyrad/trunk/debian/source/format

Modified: packages/pyrad/trunk/debian/changelog
===================================================================

--- packages/pyrad/trunk/debian/changelog	2013-02-16 05:22:10 UTC (rev 23492)
+++ packages/pyrad/trunk/debian/changelog	2013-02-16 08:58:40 UTC (rev 23493)
@@ -1,3 +1,10 @@
+pyrad (2.0-2) unstable; urgency=high
+
+  * Use a better random number generator to prevent predictable password
+    hashing and packet IDs (CVE-2013-0294, Closes: #700669).
+
+ -- Jeremy LainÃ© <jeremy.laine at m4x.org>  Sat, 16 Feb 2013 09:52:59 +0100
+
 pyrad (2.0-1) unstable; urgency=low
 
   * New upstream release.

Added: packages/pyrad/trunk/debian/patches/change_random_generator.patch
===================================================================
--- packages/pyrad/trunk/debian/patches/change_random_generator.patch	                        (rev 0)
+++ packages/pyrad/trunk/debian/patches/change_random_generator.patch	2013-02-16 08:58:40 UTC (rev 23493)
@@ -0,0 +1,35 @@
+diff --git a/pyrad/packet.py b/pyrad/packet.py
+index e3682b2..2366140 100644
+--- a/pyrad/packet.py
++++ b/pyrad/packet.py
+@@ -33,8 +33,11 @@ CoARequest = 43
+ CoAACK = 44
+ CoANAK = 45
+ 
++# Use cryptographic-safe random generator as provided by the OS.
++random_generator = random.SystemRandom()
++
+ # Current ID
+-CurrentID = random.randrange(1, 255)
++CurrentID = random_generator.randrange(1, 255)
+ 
+ 
+ class PacketError(Exception):
+@@ -208,7 +211,7 @@ class Packet(dict):
+ 
+         data = []
+         for i in range(16):
+-            data.append(random.randrange(0, 256))
++            data.append(random_generator.randrange(0, 256))
+         if six.PY3:
+             return bytes(data)
+         else:
+@@ -223,7 +226,7 @@ class Packet(dict):
+         :rtype:  integer
+ 
+         """
+-        return random.randrange(0, 256)
++        return random_generator.randrange(0, 256)
+ 
+     def ReplyPacket(self):
+         """Create a ready-to-transmit authentication reply packet.

Added: packages/pyrad/trunk/debian/patches/series
===================================================================
--- packages/pyrad/trunk/debian/patches/series	                        (rev 0)
+++ packages/pyrad/trunk/debian/patches/series	2013-02-16 08:58:40 UTC (rev 23493)
@@ -0,0 +1 @@
+change_random_generator.patch

Modified: packages/pyrad/trunk/debian/source/format
===================================================================
--- packages/pyrad/trunk/debian/source/format	2013-02-16 05:22:10 UTC (rev 23492)
+++ packages/pyrad/trunk/debian/source/format	2013-02-16 08:58:40 UTC (rev 23493)
@@ -1 +1 @@
-1.0
+3.0 (quilt)


