7
cd "$1" && patch -p1 < "$0"
11
Description: improve the randomness of generate_random_password
12
CVE-2010-4568 Improve the randomness of generate_random_password, to protect
13
against an account compromise issue and other critical vulnerabilities.
14
Origin: http://bzr.mozilla.org/bugzilla/3.6/revision/7226
15
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=621591
16
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611176
18
--- a/Bugzilla/Install/Localconfig.pm 2010-04-22 18:06:10 +0000
19
+++ b/Bugzilla/Install/Localconfig.pm 2011-01-24 21:48:17 +0000
23
name => 'site_wide_secret',
24
- default => sub { generate_random_password(256) },
25
+ # 64 characters is roughly the equivalent of a 384-bit key, which
26
+ # is larger than anybody would ever be able to brute-force.
27
+ default => sub { generate_random_password(64) },
29
# This secret key is used by your installation for the creation and
30
# validation of encrypted tokens to prevent unsolicited changes,
33
foreach my $var (LOCALCONFIG_VARS) {
34
my $name = $var->{name};
35
- if (!defined $localconfig->{$name}) {
36
+ my $value = $localconfig->{$name};
37
+ # Regenerate site_wide_secret if it was made by our old, weak
38
+ # generate_random_password. Previously we used to generate
39
+ # a 256-character string for site_wide_secret.
40
+ $value = undef if ($name eq 'site_wide_secret' and defined $value
41
+ and length($value) == 256);
43
+ if (!defined $value) {
44
push(@new_vars, $name);
45
$var->{default} = &{$var->{default}} if ref($var->{default}) eq 'CODE';
46
if (exists $answer->{$name}) {
48
--- a/Bugzilla/Install/Requirements.pm 2011-01-21 21:16:42 +0000
49
+++ b/Bugzilla/Install/Requirements.pm 2011-01-24 21:48:17 +0000
51
version => '1.999022',
52
feature => ['mod_perl'],
55
+ package => 'Math-Random-Secure',
56
+ module => 'Math::Random::Secure',
58
+ feature => ['rand_security'],
62
my $extra_modules = _get_extension_requirements('OPTIONAL_MODULES');
64
--- a/Bugzilla/Util.pm 2010-04-02 23:34:46 +0000
65
+++ b/Bugzilla/Util.pm 2011-01-24 21:48:17 +0000
67
return $crypted_password;
70
+# If you want to understand the security of strings generated by this
71
+# function, here's a quick formula that will help you estimate:
72
+# We pick from 62 characters, which is close to 64, which is 2^6.
73
+# So 8 characters is (2^6)^8 == 2^48 combinations. Just multiply 6
74
+# by the number of characters you generate, and that gets you the equivalent
75
+# strength of the string in bits.
76
sub generate_random_password {
77
my $size = shift || 10; # default to 10 chars if nothing specified
78
- return join("", map{ ('0'..'9','a'..'z','A'..'Z')[rand 62] } (1..$size));
80
+ if (Bugzilla->feature('rand_security')) {
81
+ $rand = \&Math::Random::Secure::irand;
84
+ # For details on why this block works the way it does, see bug 619594.
85
+ # (Note that we don't do this if Math::Random::Secure is installed,
86
+ # because we don't need to.)
89
+ # If we regenerate the seed every 5 characters, our seed is roughly
90
+ # as strong (in terms of bit size) as our randomly-generated
92
+ _do_srand() if ($counter % 5) == 0;
94
+ return int(rand $_[0]);
97
+ return join("", map{ ('0'..'9','a'..'z','A'..'Z')[$rand->(62)] }
102
+ # On Windows, calling srand over and over in the same process produces
103
+ # very bad results. We need a stronger seed.
106
+ # GuidGen generates random data via Windows's CryptGenRandom
107
+ # interface, which is documented as being cryptographically secure.
108
+ my $guid = Win32::GuidGen();
110
+ # {09531CF1-D0C7-4860-840C-1C8C8735E2AD}
111
+ $guid =~ s/[-{}]+//g;
112
+ # Get a 32-bit integer using the first eight hex digits.
113
+ my $seed = hex(substr($guid, 0, 8));
118
+ # On *nix-like platforms, this uses /dev/urandom, so the seed changes
119
+ # enough on every invocation.
123
sub validate_email_syntax {
125
--- a/mod_perl.pl 2010-02-01 21:39:54 +0000
126
+++ b/mod_perl.pl 2011-01-24 21:48:17 +0000
128
use Bugzilla::Template ();
129
use Bugzilla::Util ();
131
+# For PerlChildInitHandler
132
+eval { require Math::Random::Secure };
134
my ($sizelimit, $maxrequests) = ('', '');
135
if (Bugzilla::Constants::ON_WINDOWS) {
136
$maxrequests = "MaxRequestsPerChild 25";
138
my $server = Apache2::ServerUtil->server;
141
-# Make sure each httpd child receives a different random seed (bug 476622)
142
-PerlChildInitHandler "sub { srand(); }"
143
+# Make sure each httpd child receives a different random seed (bug 476622).
144
+# Math::Random::Secure has one srand that needs to be called for
145
+# every process, and Perl has another. (Various Perl modules still use
146
+# the built-in rand(), even though we only use Math::Random::Secure in
147
+# Bugzilla itself, so we need to srand() both of them.) However,
148
+# Math::Random::Secure may not be installed, so we call its srand in an
150
+PerlChildInitHandler "sub { eval { Math::Random::Secure::srand() }; srand(); }"
151
<Directory "$cgi_path">
152
AddHandler perl-script .cgi
153
# No need to PerlModule these because they're already defined in mod_perl.pl
155
--- a/template/en/default/setup/strings.txt.pl 2010-10-26 21:08:21 +0000
156
+++ b/template/en/default/setup/strings.txt.pl 2011-01-24 21:48:17 +0000
158
feature_mod_perl => 'mod_perl',
159
feature_moving => 'Move Bugs Between Installations',
160
feature_patch_viewer => 'Patch Viewer',
161
+ feature_rand_security => 'Improve cookie and token security',
162
feature_smtp_auth => 'SMTP Authentication',
163
feature_updates => 'Automatic Update Notifications',
164
feature_xmlrpc => 'XML-RPC Interface',