Bug 969421 (CVE-2013-2120)

This issue affects the version of the kdeplasma-addons package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the kdeplasma-addons package, as shipped with Fedora release of 17 and 18. Please schedule an update (once there is a final upstream patch available).

Created kdeplasma-addons tracking bugs for this issue

Affects: fedora-all [bug 969425]

Upstream fix: https://projects.kde.org/projects/kde/kdeplasma-addons/repository/revisions/36a1fe49cb70f717c4a6e9eeee2c9186503a8dce

pulled into kdeplasma-4.10.4-2 builds

analitza-4.10.4-1.fc19, ark-4.10.4-1.fc19, audiocd-kio-4.10.4-1.fc19, blinken-4.10.4-1.fc19, bomber-4.10.4-1.fc19, bovo-4.10.4-1.fc19, cantor-4.10.4-1.fc19, dragon-4.10.4-1.fc19, filelight-4.10.4-1.fc19, granatier-4.10.4-1.fc19, gwenview-4.10.4-1.fc19, jovie-4.10.4-1.fc19, juk-4.10.4-1.fc19, kaccessible-4.10.4-1.fc19, kactivities-4.10.4-1.fc19, kajongg-4.10.4-1.fc19, kalgebra-4.10.4-1.fc19, kalzium-4.10.4-1.fc19, kamera-4.10.4-1.fc19, kanagram-4.10.4-1.fc19, kapman-4.10.4-1.fc19, kate-4.10.4-1.fc19, katomic-4.10.4-1.fc19, kblackbox-4.10.4-1.fc19, kblocks-4.10.4-1.fc19, kbounce-4.10.4-1.fc19, kbreakout-4.10.4-1.fc19, kbruch-4.10.4-1.fc19, kcalc-4.10.4-1.fc19, kcharselect-4.10.4-1.fc19, kcolorchooser-4.10.4-1.fc19, kdeaccessibility-4.10.4-1.fc19, kdeadmin-4.10.4-1.fc19, kdeartwork-4.10.4-1.fc19, kde-baseapps-4.10.4-1.fc19, kde-base-artwork-4.10.4-1.fc19, kdebindings-4.10.4-1.fc19, kdeedu-4.10.4-1.fc19, kdegames-4.10.4-1.fc19, kdegraphics-4.10.4-1.fc19, kdegraphics-mobipocket-4.10.4-1.fc19, kdegraphics-strigi-analyzer-4.10.4-1.fc19, kdegraphics-thumbnailers-4.10.4-1.fc19, kde-l10n-4.10.4-1.fc19, kdelibs-4.10.4-1.fc19, kdemultimedia-4.10.4-1.fc19, kdenetwork-4.10.4-1.fc19, kdepim-4.10.4-1.fc19, kdepim-runtime-4.10.4-1.fc19.2, kde-print-manager-4.10.4-1.fc19, kde-runtime-4.10.4-1.fc19, kdesdk-4.10.4-1.fc19, kdetoys-4.10.4-1.fc19, kdeutils-4.10.4-1.fc19, kde-wallpapers-4.10.4-1.fc19, kde-workspace-4.10.4-1.fc19, kdf-4.10.4-1.fc19, kdiamond-4.10.4-1.fc19, kfloppy-4.10.4-1.fc19, kfourinline-4.10.4-1.fc19, kgamma-4.10.4-1.fc19, kgeography-4.10.4-1.fc19, kgoldrunner-4.10.4-1.fc19, kgpg-4.10.4-1.fc19, khangman-4.10.4-1.fc19, kig-4.10.4-1.fc19, kigo-4.10.4-1.fc19, killbots-4.10.4-1.fc19, kimono-4.10.4-1.fc19, kiriki-4.10.4-1.fc19, kiten-4.10.4-1.fc19, kjumpingcube-4.10.4-1.fc19, klettres-4.10.4-1.fc19, klickety-4.10.4-1.fc19, klines-4.10.4-1.fc19, kmag-4.10.4-1.fc19, kmahjongg-4.10.4-1.fc19, kmines-4.10.4-1.fc19, kmix-4.10.4-1.fc19, kmousetool-4.10.4-1.fc19, kmouth-4.10.4-1.fc19, kmplot-4.10.4-1.fc19, knavalbattle-4.10.4-1.fc19, knetwalk-4.10.4-1.fc19, kolf-4.10.4-1.fc19, kollision-4.10.4-1.fc19, kolourpaint-4.10.4-1.fc19, konquest-4.10.4-1.fc19, konsole-4.10.4-1.fc19, kpat-4.10.4-1.fc19, kremotecontrol-4.10.4-1.fc19, kreversi-4.10.4-1.fc19, kross-interpreters-4.10.4-1.fc19, kruler-4.10.4-1.fc19, ksaneplugin-4.10.4-1.fc19, kscd-4.10.4-1.fc19, kshisen-4.10.4-1.fc19, ksirk-4.10.4-1.fc19, ksnakeduel-4.10.4-1.fc19, ksnapshot-4.10.4-1.fc19, kspaceduel-4.10.4-1.fc19, ksquares-4.10.4-1.fc19, kstars-4.10.4-1.fc19, ksudoku-4.10.4-1.fc19, ktimer-4.10.4-1.fc19, ktouch-4.10.4-1.fc19, ktuberling-4.10.4-1.fc19, kturtle-4.10.4-1.fc19, kubrick-4.10.4-1.fc19, kwallet-4.10.4-1.fc19, kwordquiz-4.10.4-1.fc19, libkcddb-4.10.4-1.fc19, libkcompactdisc-4.10.4-1.fc19, libkdcraw-4.10.4-1.fc19, libkdeedu-4.10.4-1.fc19, libkdegames-4.10.4-1.fc19, libkexiv2-4.10.4-1.fc19, libkipi-4.10.4-1.fc19, libkmahjongg-4.10.4-1.fc19, libksane-4.10.4-1.fc19, lskat-4.10.4-1.fc19, marble-4.10.4-1.fc19, nepomuk-core-4.10.4-1.fc19, nepomuk-widgets-4.10.4-1.fc19, okular-4.10.4-1.fc19, oxygen-icon-theme-4.10.4-1.fc19, pairs-4.10.4-1.fc19, palapeli-4.10.4-1.fc19, parley-4.10.4-1.fc19, picmi-4.10.4-1.fc19, pykde4-4.10.4-1.fc19, qyoto-4.10.4-1.fc19, rocs-4.10.4-1.fc19, ruby-korundum-4.10.4-1.fc19, ruby-qt-4.10.4-1.fc19, smokegen-4.10.4-1.fc19, smokekde-4.10.4-1.fc19, smokeqt-4.10.4-1.fc19, step-4.10.4-1.fc19, superkaramba-4.10.4-1.fc19, svgpart-4.10.4-1.fc19, sweeper-4.10.4-1.fc19, kdepimlibs-4.10.4-2.fc19, kdeplasma-addons-4.10.4-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

kdeplasma-addons-4.10.4-2.fc18, analitza-4.10.4-1.fc18, ark-4.10.4-1.fc18, audiocd-kio-4.10.4-1.fc18, blinken-4.10.4-1.fc18, bomber-4.10.4-1.fc18, bovo-4.10.4-1.fc18, cantor-4.10.4-1.fc18, dragon-4.10.4-1.fc18, filelight-4.10.4-1.fc18, granatier-4.10.4-1.fc18, gwenview-4.10.4-1.fc18, jovie-4.10.4-1.fc18, juk-4.10.4-1.fc18, kaccessible-4.10.4-1.fc18, kactivities-4.10.4-1.fc18, kajongg-4.10.4-1.fc18, kalgebra-4.10.4-1.fc18, kalzium-4.10.4-1.fc18, kamera-4.10.4-1.fc18, kanagram-4.10.4-1.fc18, kapman-4.10.4-1.fc18, kate-4.10.4-1.fc18, katomic-4.10.4-1.fc18, kblackbox-4.10.4-1.fc18, kblocks-4.10.4-1.fc18, kbounce-4.10.4-1.fc18, kbreakout-4.10.4-1.fc18, kbruch-4.10.4-1.fc18, kcalc-4.10.4-1.fc18, kcharselect-4.10.4-1.fc18, kcolorchooser-4.10.4-1.fc18, kdeaccessibility-4.10.4-1.fc18, kdeadmin-4.10.4-1.fc18, kdeartwork-4.10.4-1.fc18, kde-baseapps-4.10.4-1.fc18, kde-base-artwork-4.10.4-1.fc18, kdebindings-4.10.4-1.fc18, kdeedu-4.10.4-1.fc18, kdegames-4.10.4-1.fc18, kdegraphics-4.10.4-1.fc18, kdegraphics-mobipocket-4.10.4-1.fc18, kdegraphics-strigi-analyzer-4.10.4-1.fc18, kdegraphics-thumbnailers-4.10.4-1.fc18, kde-l10n-4.10.4-1.fc18, kdelibs-4.10.4-1.fc18, kdemultimedia-4.10.4-1.fc18, kdenetwork-4.10.4-1.fc18, kdepim-4.10.4-1.fc18, kdepim-runtime-4.10.4-1.fc18.1, kde-print-manager-4.10.4-1.fc18, kde-runtime-4.10.4-1.fc18, kdesdk-4.10.4-1.fc18, kdetoys-4.10.4-1.fc18, kdeutils-4.10.4-1.fc18, kde-wallpapers-4.10.4-1.fc18, kde-workspace-4.10.4-1.fc18, kdf-4.10.4-1.fc18, kdiamond-4.10.4-1.fc18, kfloppy-4.10.4-1.fc18, kfourinline-4.10.4-1.fc18, kgamma-4.10.4-1.fc18, kgeography-4.10.4-1.fc18, kgoldrunner-4.10.4-1.fc18, kgpg-4.10.4-1.fc18, khangman-4.10.4-1.fc18, kig-4.10.4-1.fc18, kigo-4.10.4-1.fc18, killbots-4.10.4-1.fc18, kimono-4.10.4-1.fc18, kiriki-4.10.4-1.fc18, kiten-4.10.4-1.fc18, kjumpingcube-4.10.4-1.fc18, klettres-4.10.4-1.fc18, klickety-4.10.4-1.fc18, klines-4.10.4-1.fc18, kmag-4.10.4-1.fc18, kmahjongg-4.10.4-1.fc18, kmines-4.10.4-1.fc18, kmix-4.10.4-1.fc18, kmousetool-4.10.4-1.fc18, kmouth-4.10.4-1.fc18, kmplot-4.10.4-1.fc18, knavalbattle-4.10.4-1.fc18, knetwalk-4.10.4-1.fc18, kolf-4.10.4-1.fc18, kollision-4.10.4-1.fc18, kolourpaint-4.10.4-1.fc18, konquest-4.10.4-1.fc18, konsole-4.10.4-1.fc18, kpat-4.10.4-1.fc18, kremotecontrol-4.10.4-1.fc18, kreversi-4.10.4-1.fc18, kross-interpreters-4.10.4-1.fc18, kruler-4.10.4-1.fc18, ksaneplugin-4.10.4-1.fc18, kscd-4.10.4-1.fc18, kshisen-4.10.4-1.fc18, ksirk-4.10.4-1.fc18, ksnakeduel-4.10.4-1.fc18, ksnapshot-4.10.4-1.fc18, kspaceduel-4.10.4-1.fc18, ksquares-4.10.4-1.fc18, kstars-4.10.4-1.fc18, ksudoku-4.10.4-1.fc18, ktimer-4.10.4-1.fc18, ktouch-4.10.4-1.fc18, ktuberling-4.10.4-1.fc18, kturtle-4.10.4-1.fc18, kubrick-4.10.4-1.fc18, kwallet-4.10.4-1.fc18, kwordquiz-4.10.4-1.fc18, libkcddb-4.10.4-1.fc18, libkcompactdisc-4.10.4-1.fc18, libkdcraw-4.10.4-1.fc18, libkdeedu-4.10.4-1.fc18, libkdegames-4.10.4-1.fc18, libkexiv2-4.10.4-1.fc18, libkipi-4.10.4-1.fc18, libkmahjongg-4.10.4-1.fc18, libksane-4.10.4-1.fc18, lskat-4.10.4-1.fc18, marble-4.10.4-1.fc18, nepomuk-core-4.10.4-1.fc18, nepomuk-widgets-4.10.4-1.fc18, okular-4.10.4-1.fc18, oxygen-icon-theme-4.10.4-1.fc18, pairs-4.10.4-1.fc18, palapeli-4.10.4-1.fc18, parley-4.10.4-1.fc18, picmi-4.10.4-1.fc18, pykde4-4.10.4-1.fc18, qyoto-4.10.4-1.fc18, rocs-4.10.4-1.fc18, ruby-korundum-4.10.4-1.fc18, ruby-qt-4.10.4-1.fc18, smokegen-4.10.4-1.fc18, smokekde-4.10.4-1.fc18, smokeqt-4.10.4-1.fc18, step-4.10.4-1.fc18, superkaramba-4.10.4-1.fc18, svgpart-4.10.4-1.fc18, sweeper-4.10.4-1.fc18, kdepimlibs-4.10.4-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

kdepimlibs-4.10.4-2.fc17, analitza-4.10.4-1.fc17, ark-4.10.4-1.fc17, audiocd-kio-4.10.4-1.fc17, blinken-4.10.4-1.fc17, bomber-4.10.4-1.fc17, bovo-4.10.4-1.fc17, cantor-4.10.4-1.fc17, dragon-4.10.4-1.fc17, filelight-4.10.4-1.fc17, granatier-4.10.4-1.fc17, gwenview-4.10.4-1.fc17, jovie-4.10.4-1.fc17, juk-4.10.4-1.fc17, kaccessible-4.10.4-1.fc17, kactivities-4.10.4-1.fc17, kajongg-4.10.4-1.fc17, kalgebra-4.10.4-1.fc17, kalzium-4.10.4-1.fc17, kamera-4.10.4-1.fc17, kanagram-4.10.4-1.fc17, kapman-4.10.4-1.fc17, kate-4.10.4-1.fc17, katomic-4.10.4-1.fc17, kblackbox-4.10.4-1.fc17, kblocks-4.10.4-1.fc17, kbounce-4.10.4-1.fc17, kbreakout-4.10.4-1.fc17, kbruch-4.10.4-1.fc17, kcalc-4.10.4-1.fc17, kcharselect-4.10.4-1.fc17, kcolorchooser-4.10.4-1.fc17, kdeaccessibility-4.10.4-1.fc17, kdeadmin-4.10.4-1.fc17, kdeartwork-4.10.4-1.fc17, kde-baseapps-4.10.4-1.fc17, kde-base-artwork-4.10.4-1.fc17, kdebindings-4.10.4-1.fc17, kdeedu-4.10.4-1.fc17, kdegames-4.10.4-1.fc17, kdegraphics-4.10.4-1.fc17, kdegraphics-mobipocket-4.10.4-1.fc17, kdegraphics-strigi-analyzer-4.10.4-1.fc17, kdegraphics-thumbnailers-4.10.4-1.fc17, kde-l10n-4.10.4-1.fc17, kdelibs-4.10.4-1.fc17, kdemultimedia-4.10.4-1.fc17, kdenetwork-4.10.4-1.fc17, kdepim-4.10.4-1.fc17, kdepim-runtime-4.10.4-1.fc17, kde-print-manager-4.10.4-1.fc17, kde-runtime-4.10.4-1.fc17, kdesdk-4.10.4-1.fc17, kdetoys-4.10.4-1.fc17, kdeutils-4.10.4-1.fc17, kde-wallpapers-4.10.4-1.fc17, kde-workspace-4.10.4-1.fc17, kdf-4.10.4-1.fc17, kdiamond-4.10.4-1.fc17, kfloppy-4.10.4-1.fc17, kfourinline-4.10.4-1.fc17, kgamma-4.10.4-1.fc17, kgeography-4.10.4-1.fc17, kgoldrunner-4.10.4-1.fc17, kgpg-4.10.4-1.fc17, khangman-4.10.4-1.fc17, kig-4.10.4-1.fc17, kigo-4.10.4-1.fc17, killbots-4.10.4-1.fc17, kimono-4.10.4-1.fc17, kiriki-4.10.4-1.fc17, kiten-4.10.4-1.fc17, kjumpingcube-4.10.4-1.fc17, klettres-4.10.4-1.fc17, klickety-4.10.4-1.fc17, klines-4.10.4-1.fc17, kmag-4.10.4-1.fc17, kmahjongg-4.10.4-1.fc17, kmines-4.10.4-1.fc17, kmix-4.10.4-1.fc17, kmousetool-4.10.4-1.fc17, kmouth-4.10.4-1.fc17, kmplot-4.10.4-1.fc17, knavalbattle-4.10.4-1.fc17, knetwalk-4.10.4-1.fc17, kolf-4.10.4-1.fc17, kollision-4.10.4-1.fc17, kolourpaint-4.10.4-1.fc17, konquest-4.10.4-1.fc17, konsole-4.10.4-1.fc17, kpat-4.10.4-1.fc17, kremotecontrol-4.10.4-1.fc17, kreversi-4.10.4-1.fc17, kross-interpreters-4.10.4-1.fc17, kruler-4.10.4-1.fc17, ksaneplugin-4.10.4-1.fc17, kscd-4.10.4-1.fc17, kshisen-4.10.4-1.fc17, ksirk-4.10.4-1.fc17, ksnakeduel-4.10.4-1.fc17, ksnapshot-4.10.4-1.fc17, kspaceduel-4.10.4-1.fc17, ksquares-4.10.4-1.fc17, kstars-4.10.4-1.fc17, ksudoku-4.10.4-1.fc17, ktimer-4.10.4-1.fc17, ktouch-4.10.4-1.fc17, ktuberling-4.10.4-1.fc17, kturtle-4.10.4-1.fc17, kubrick-4.10.4-1.fc17, kwallet-4.10.4-1.fc17, kwordquiz-4.10.4-1.fc17, libkcddb-4.10.4-1.fc17, libkcompactdisc-4.10.4-1.fc17, libkdcraw-4.10.4-1.fc17, libkdeedu-4.10.4-1.fc17, libkdegames-4.10.4-1.fc17, libkexiv2-4.10.4-1.fc17, libkipi-4.10.4-1.fc17, libkmahjongg-4.10.4-1.fc17, libksane-4.10.4-1.fc17, lskat-4.10.4-1.fc17, marble-4.10.4-1.fc17, nepomuk-core-4.10.4-1.fc17, nepomuk-widgets-4.10.4-1.fc17, okular-4.10.4-1.fc17, oxygen-icon-theme-4.10.4-1.fc17, pairs-4.10.4-1.fc17, palapeli-4.10.4-1.fc17, parley-4.10.4-1.fc17, picmi-4.10.4-1.fc17, pykde4-4.10.4-1.fc17, qyoto-4.10.4-1.fc17, rocs-4.10.4-1.fc17, ruby-korundum-4.10.4-1.fc17, ruby-qt-4.10.4-1.fc17, smokegen-4.10.4-1.fc17, smokekde-4.10.4-1.fc17, smokeqt-4.10.4-1.fc17, step-4.10.4-1.fc17, superkaramba-4.10.4-1.fc17, svgpart-4.10.4-1.fc17, sweeper-4.10.4-1.fc17, kdeplasma-addons-4.10.4-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

That fix is not much better.  KRandom is just rand(), so there's only 2^32 possible seeds.

(In reply to Michael Samuel from comment #8)
> That fix is not much better.  KRandom is just rand(), so there's only 2^32
> possible seeds.

Thanks, Michael. Checking with Aaron J. Seigo, original CVE-2013-2120 patch author, what could be done to strengthen the patch yet (you were Cc-ed on that post).

Regards, Jan.

I have a patch based on qca::random(), but was waiting for contact from KDE people, as I wasn't sure if qca needed some special initialization.

Also, the numbers charset has '0' twice - one of them needs to be removed.

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2013-2120