[Reproducible-builds] Bug#830979: zoneminder: please generate security salts, etc. per installation

Chris Lamb lamby at debian.org
Wed Jul 13 13:50:45 UTC 2016 

Source: zoneminder
Version: 1.29.0+dfsg-2
Severity: wishlist
Tags: patch security
User: reproducible-builds at lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-builds at lists.alioth.debian.org

Hi,

Whilst working on the "reproducible builds" effort [0], we noticed
that zoneminder could not be built reproducibly.

This is because the random seeds are generated a build time, meaning
that all zoneminder instances--on each architecture--share the same
secret key. Is this a security issue? Tagging as such; please untag
if not.

Patch attached that generates these at installation time.

 [0] https://wiki.debian.org/ReproducibleBuilds


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-
-------------- next part --------------
--- a/debian/patches/reproducible_build.patch	1970-01-01 02:00:00.000000000 +0200
--- b/debian/patches/reproducible_build.patch	2016-07-13 15:44:01.209534314 +0200
@@ -0,0 +1,17 @@
+--- zoneminder-1.29.0+dfsg.orig/web/api/app/Config/core.php.default
++++ zoneminder-1.29.0+dfsg/web/api/app/Config/core.php.default
+@@ -223,12 +223,12 @@
+ /**
+  * A random string used in security hashing methods.
+  */
+-	Configure::write('Security.salt', '@ZM_API_SALT@');
++	Configure::write('Security.salt', '__ZM_API_SALT__');
+ 
+ /**
+  * A random numeric string (digits only) used to encrypt/decrypt strings.
+  */
+-	Configure::write('Security.cipherSeed', '@ZM_API_SEED@');
++	Configure::write('Security.cipherSeed', '__ZM_API_SEED__');
+ 
+ /**
+  * Apply timestamps with the last modified time to static assets (js, css, images).
--- a/debian/patches/series	2016-07-13 15:14:24.019364798 +0200
--- b/debian/patches/series	2016-07-13 15:43:51.469404943 +0200
@@ -9,3 +9,4 @@
 docs.patch
 spelling-corrections.patch
 use_libjs-mootools.patch
+reproducible_build.patch
--- a/debian/zoneminder.postinst	2016-07-13 15:14:24.019364798 +0200
--- b/debian/zoneminder.postinst	2016-07-13 15:43:22.441019824 +0200
@@ -2,12 +2,21 @@
 
 set -e
 
+Generate_random () {
+	tr -dc $1 < /dev/urandom | head -c $2
+}
+
 if [ "$1" = "configure" ]; then
 		chown www-data:root /var/log/zm
 		chown www-data:www-data /var/lib/zm
 		if [ -z "$2" ]; then
 			chown www-data:www-data -R /var/cache/zoneminder
 		fi
+
+		sed -i \
+			-e "s at __ZM_API_SALT__@$(Generate_random A-Za-z0-9 29)@g" \
+			-e "s at __ZM_API_SEED__@$(Generate_random 0-9 40)@g" \
+			/usr/share/zoneminder/www/api/app/Config/core.php
 fi
 
 #DEBHELPER#

More information about the Reproducible-builds mailing list