Bug 969421 (CVE-2013-2120)

Summary: CVE-2013-2120 kdeplasma-addons: Weak passwords generated by PasteMacroExpander
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jgrulich, jreznik, kevin, mik, rdieter, rnovacek, security-response-team, sisharma, smparrish, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130528,reported=20130528,source=oss-security,cvss2=1.2/AV:L/AC:H/Au:N/C:P/I:N/A:N,rhel-6/kdeplasma-addons=defer,fedora-all/kdeplasma-addons=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 969425    
Bug Blocks: 969428    

Description Jan Lieskovsky 2013-05-31 07:47:40 EDT
A security flaw was found in the way PasteMacroExpander of paste applet of kdeplasma-addons, a suite of additional plasmoids for KDE desktop environment, performed password generation / derivation for user provided string. An attacker could use this flaw to obtain plaintext form of such a password (possibly leading to their subsequent ability for unauthorized access to a service / resource, intended to be protected by such a password).

References:
[1] http://www.openwall.com/lists/oss-security/2013/05/28/5
[2] https://bugzilla.novell.com/show_bug.cgi?id=822595
Comment 1 Jan Lieskovsky 2013-05-31 07:50:08 EDT
This issue affects the version of the kdeplasma-addons package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the kdeplasma-addons package, as shipped with Fedora release of 17 and 18. Please schedule an update (once there is a final upstream patch available).
Comment 2 Jan Lieskovsky 2013-05-31 07:51:23 EDT
Created kdeplasma-addons tracking bugs for this issue

Affects: fedora-all [bug 969425]
Comment 4 Rex Dieter 2013-06-03 17:03:04 EDT
pulled into kdeplasma-4.10.4-2 builds
Comment 5 Fedora Update System 2013-06-07 00:40:41 EDT
analitza-4.10.4-1.fc19, ark-4.10.4-1.fc19, audiocd-kio-4.10.4-1.fc19, blinken-4.10.4-1.fc19, bomber-4.10.4-1.fc19, bovo-4.10.4-1.fc19, cantor-4.10.4-1.fc19, dragon-4.10.4-1.fc19, filelight-4.10.4-1.fc19, granatier-4.10.4-1.fc19, gwenview-4.10.4-1.fc19, jovie-4.10.4-1.fc19, juk-4.10.4-1.fc19, kaccessible-4.10.4-1.fc19, kactivities-4.10.4-1.fc19, kajongg-4.10.4-1.fc19, kalgebra-4.10.4-1.fc19, kalzium-4.10.4-1.fc19, kamera-4.10.4-1.fc19, kanagram-4.10.4-1.fc19, kapman-4.10.4-1.fc19, kate-4.10.4-1.fc19, katomic-4.10.4-1.fc19, kblackbox-4.10.4-1.fc19, kblocks-4.10.4-1.fc19, kbounce-4.10.4-1.fc19, kbreakout-4.10.4-1.fc19, kbruch-4.10.4-1.fc19, kcalc-4.10.4-1.fc19, kcharselect-4.10.4-1.fc19, kcolorchooser-4.10.4-1.fc19, kdeaccessibility-4.10.4-1.fc19, kdeadmin-4.10.4-1.fc19, kdeartwork-4.10.4-1.fc19, kde-baseapps-4.10.4-1.fc19, kde-base-artwork-4.10.4-1.fc19, kdebindings-4.10.4-1.fc19, kdeedu-4.10.4-1.fc19, kdegames-4.10.4-1.fc19, kdegraphics-4.10.4-1.fc19, kdegraphics-mobipocket-4.10.4-1.fc19, kdegraphics-strigi-analyzer-4.10.4-1.fc19, kdegraphics-thumbnailers-4.10.4-1.fc19, kde-l10n-4.10.4-1.fc19, kdelibs-4.10.4-1.fc19, kdemultimedia-4.10.4-1.fc19, kdenetwork-4.10.4-1.fc19, kdepim-4.10.4-1.fc19, kdepim-runtime-4.10.4-1.fc19.2, kde-print-manager-4.10.4-1.fc19, kde-runtime-4.10.4-1.fc19, kdesdk-4.10.4-1.fc19, kdetoys-4.10.4-1.fc19, kdeutils-4.10.4-1.fc19, kde-wallpapers-4.10.4-1.fc19, kde-workspace-4.10.4-1.fc19, kdf-4.10.4-1.fc19, kdiamond-4.10.4-1.fc19, kfloppy-4.10.4-1.fc19, kfourinline-4.10.4-1.fc19, kgamma-4.10.4-1.fc19, kgeography-4.10.4-1.fc19, kgoldrunner-4.10.4-1.fc19, kgpg-4.10.4-1.fc19, khangman-4.10.4-1.fc19, kig-4.10.4-1.fc19, kigo-4.10.4-1.fc19, killbots-4.10.4-1.fc19, kimono-4.10.4-1.fc19, kiriki-4.10.4-1.fc19, kiten-4.10.4-1.fc19, kjumpingcube-4.10.4-1.fc19, klettres-4.10.4-1.fc19, klickety-4.10.4-1.fc19, klines-4.10.4-1.fc19, kmag-4.10.4-1.fc19, kmahjongg-4.10.4-1.fc19, kmines-4.10.4-1.fc19, kmix-4.10.4-1.fc19, kmousetool-4.10.4-1.fc19, kmouth-4.10.4-1.fc19, kmplot-4.10.4-1.fc19, knavalbattle-4.10.4-1.fc19, knetwalk-4.10.4-1.fc19, kolf-4.10.4-1.fc19, kollision-4.10.4-1.fc19, kolourpaint-4.10.4-1.fc19, konquest-4.10.4-1.fc19, konsole-4.10.4-1.fc19, kpat-4.10.4-1.fc19, kremotecontrol-4.10.4-1.fc19, kreversi-4.10.4-1.fc19, kross-interpreters-4.10.4-1.fc19, kruler-4.10.4-1.fc19, ksaneplugin-4.10.4-1.fc19, kscd-4.10.4-1.fc19, kshisen-4.10.4-1.fc19, ksirk-4.10.4-1.fc19, ksnakeduel-4.10.4-1.fc19, ksnapshot-4.10.4-1.fc19, kspaceduel-4.10.4-1.fc19, ksquares-4.10.4-1.fc19, kstars-4.10.4-1.fc19, ksudoku-4.10.4-1.fc19, ktimer-4.10.4-1.fc19, ktouch-4.10.4-1.fc19, ktuberling-4.10.4-1.fc19, kturtle-4.10.4-1.fc19, kubrick-4.10.4-1.fc19, kwallet-4.10.4-1.fc19, kwordquiz-4.10.4-1.fc19, libkcddb-4.10.4-1.fc19, libkcompactdisc-4.10.4-1.fc19, libkdcraw-4.10.4-1.fc19, libkdeedu-4.10.4-1.fc19, libkdegames-4.10.4-1.fc19, libkexiv2-4.10.4-1.fc19, libkipi-4.10.4-1.fc19, libkmahjongg-4.10.4-1.fc19, libksane-4.10.4-1.fc19, lskat-4.10.4-1.fc19, marble-4.10.4-1.fc19, nepomuk-core-4.10.4-1.fc19, nepomuk-widgets-4.10.4-1.fc19, okular-4.10.4-1.fc19, oxygen-icon-theme-4.10.4-1.fc19, pairs-4.10.4-1.fc19, palapeli-4.10.4-1.fc19, parley-4.10.4-1.fc19, picmi-4.10.4-1.fc19, pykde4-4.10.4-1.fc19, qyoto-4.10.4-1.fc19, rocs-4.10.4-1.fc19, ruby-korundum-4.10.4-1.fc19, ruby-qt-4.10.4-1.fc19, smokegen-4.10.4-1.fc19, smokekde-4.10.4-1.fc19, smokeqt-4.10.4-1.fc19, step-4.10.4-1.fc19, superkaramba-4.10.4-1.fc19, svgpart-4.10.4-1.fc19, sweeper-4.10.4-1.fc19, kdepimlibs-4.10.4-2.fc19, kdeplasma-addons-4.10.4-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-06-11 22:29:11 EDT
kdeplasma-addons-4.10.4-2.fc18, analitza-4.10.4-1.fc18, ark-4.10.4-1.fc18, audiocd-kio-4.10.4-1.fc18, blinken-4.10.4-1.fc18, bomber-4.10.4-1.fc18, bovo-4.10.4-1.fc18, cantor-4.10.4-1.fc18, dragon-4.10.4-1.fc18, filelight-4.10.4-1.fc18, granatier-4.10.4-1.fc18, gwenview-4.10.4-1.fc18, jovie-4.10.4-1.fc18, juk-4.10.4-1.fc18, kaccessible-4.10.4-1.fc18, kactivities-4.10.4-1.fc18, kajongg-4.10.4-1.fc18, kalgebra-4.10.4-1.fc18, kalzium-4.10.4-1.fc18, kamera-4.10.4-1.fc18, kanagram-4.10.4-1.fc18, kapman-4.10.4-1.fc18, kate-4.10.4-1.fc18, katomic-4.10.4-1.fc18, kblackbox-4.10.4-1.fc18, kblocks-4.10.4-1.fc18, kbounce-4.10.4-1.fc18, kbreakout-4.10.4-1.fc18, kbruch-4.10.4-1.fc18, kcalc-4.10.4-1.fc18, kcharselect-4.10.4-1.fc18, kcolorchooser-4.10.4-1.fc18, kdeaccessibility-4.10.4-1.fc18, kdeadmin-4.10.4-1.fc18, kdeartwork-4.10.4-1.fc18, kde-baseapps-4.10.4-1.fc18, kde-base-artwork-4.10.4-1.fc18, kdebindings-4.10.4-1.fc18, kdeedu-4.10.4-1.fc18, kdegames-4.10.4-1.fc18, kdegraphics-4.10.4-1.fc18, kdegraphics-mobipocket-4.10.4-1.fc18, kdegraphics-strigi-analyzer-4.10.4-1.fc18, kdegraphics-thumbnailers-4.10.4-1.fc18, kde-l10n-4.10.4-1.fc18, kdelibs-4.10.4-1.fc18, kdemultimedia-4.10.4-1.fc18, kdenetwork-4.10.4-1.fc18, kdepim-4.10.4-1.fc18, kdepim-runtime-4.10.4-1.fc18.1, kde-print-manager-4.10.4-1.fc18, kde-runtime-4.10.4-1.fc18, kdesdk-4.10.4-1.fc18, kdetoys-4.10.4-1.fc18, kdeutils-4.10.4-1.fc18, kde-wallpapers-4.10.4-1.fc18, kde-workspace-4.10.4-1.fc18, kdf-4.10.4-1.fc18, kdiamond-4.10.4-1.fc18, kfloppy-4.10.4-1.fc18, kfourinline-4.10.4-1.fc18, kgamma-4.10.4-1.fc18, kgeography-4.10.4-1.fc18, kgoldrunner-4.10.4-1.fc18, kgpg-4.10.4-1.fc18, khangman-4.10.4-1.fc18, kig-4.10.4-1.fc18, kigo-4.10.4-1.fc18, killbots-4.10.4-1.fc18, kimono-4.10.4-1.fc18, kiriki-4.10.4-1.fc18, kiten-4.10.4-1.fc18, kjumpingcube-4.10.4-1.fc18, klettres-4.10.4-1.fc18, klickety-4.10.4-1.fc18, klines-4.10.4-1.fc18, kmag-4.10.4-1.fc18, kmahjongg-4.10.4-1.fc18, kmines-4.10.4-1.fc18, kmix-4.10.4-1.fc18, kmousetool-4.10.4-1.fc18, kmouth-4.10.4-1.fc18, kmplot-4.10.4-1.fc18, knavalbattle-4.10.4-1.fc18, knetwalk-4.10.4-1.fc18, kolf-4.10.4-1.fc18, kollision-4.10.4-1.fc18, kolourpaint-4.10.4-1.fc18, konquest-4.10.4-1.fc18, konsole-4.10.4-1.fc18, kpat-4.10.4-1.fc18, kremotecontrol-4.10.4-1.fc18, kreversi-4.10.4-1.fc18, kross-interpreters-4.10.4-1.fc18, kruler-4.10.4-1.fc18, ksaneplugin-4.10.4-1.fc18, kscd-4.10.4-1.fc18, kshisen-4.10.4-1.fc18, ksirk-4.10.4-1.fc18, ksnakeduel-4.10.4-1.fc18, ksnapshot-4.10.4-1.fc18, kspaceduel-4.10.4-1.fc18, ksquares-4.10.4-1.fc18, kstars-4.10.4-1.fc18, ksudoku-4.10.4-1.fc18, ktimer-4.10.4-1.fc18, ktouch-4.10.4-1.fc18, ktuberling-4.10.4-1.fc18, kturtle-4.10.4-1.fc18, kubrick-4.10.4-1.fc18, kwallet-4.10.4-1.fc18, kwordquiz-4.10.4-1.fc18, libkcddb-4.10.4-1.fc18, libkcompactdisc-4.10.4-1.fc18, libkdcraw-4.10.4-1.fc18, libkdeedu-4.10.4-1.fc18, libkdegames-4.10.4-1.fc18, libkexiv2-4.10.4-1.fc18, libkipi-4.10.4-1.fc18, libkmahjongg-4.10.4-1.fc18, libksane-4.10.4-1.fc18, lskat-4.10.4-1.fc18, marble-4.10.4-1.fc18, nepomuk-core-4.10.4-1.fc18, nepomuk-widgets-4.10.4-1.fc18, okular-4.10.4-1.fc18, oxygen-icon-theme-4.10.4-1.fc18, pairs-4.10.4-1.fc18, palapeli-4.10.4-1.fc18, parley-4.10.4-1.fc18, picmi-4.10.4-1.fc18, pykde4-4.10.4-1.fc18, qyoto-4.10.4-1.fc18, rocs-4.10.4-1.fc18, ruby-korundum-4.10.4-1.fc18, ruby-qt-4.10.4-1.fc18, smokegen-4.10.4-1.fc18, smokekde-4.10.4-1.fc18, smokeqt-4.10.4-1.fc18, step-4.10.4-1.fc18, superkaramba-4.10.4-1.fc18, svgpart-4.10.4-1.fc18, sweeper-4.10.4-1.fc18, kdepimlibs-4.10.4-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-16 01:36:05 EDT
kdepimlibs-4.10.4-2.fc17, analitza-4.10.4-1.fc17, ark-4.10.4-1.fc17, audiocd-kio-4.10.4-1.fc17, blinken-4.10.4-1.fc17, bomber-4.10.4-1.fc17, bovo-4.10.4-1.fc17, cantor-4.10.4-1.fc17, dragon-4.10.4-1.fc17, filelight-4.10.4-1.fc17, granatier-4.10.4-1.fc17, gwenview-4.10.4-1.fc17, jovie-4.10.4-1.fc17, juk-4.10.4-1.fc17, kaccessible-4.10.4-1.fc17, kactivities-4.10.4-1.fc17, kajongg-4.10.4-1.fc17, kalgebra-4.10.4-1.fc17, kalzium-4.10.4-1.fc17, kamera-4.10.4-1.fc17, kanagram-4.10.4-1.fc17, kapman-4.10.4-1.fc17, kate-4.10.4-1.fc17, katomic-4.10.4-1.fc17, kblackbox-4.10.4-1.fc17, kblocks-4.10.4-1.fc17, kbounce-4.10.4-1.fc17, kbreakout-4.10.4-1.fc17, kbruch-4.10.4-1.fc17, kcalc-4.10.4-1.fc17, kcharselect-4.10.4-1.fc17, kcolorchooser-4.10.4-1.fc17, kdeaccessibility-4.10.4-1.fc17, kdeadmin-4.10.4-1.fc17, kdeartwork-4.10.4-1.fc17, kde-baseapps-4.10.4-1.fc17, kde-base-artwork-4.10.4-1.fc17, kdebindings-4.10.4-1.fc17, kdeedu-4.10.4-1.fc17, kdegames-4.10.4-1.fc17, kdegraphics-4.10.4-1.fc17, kdegraphics-mobipocket-4.10.4-1.fc17, kdegraphics-strigi-analyzer-4.10.4-1.fc17, kdegraphics-thumbnailers-4.10.4-1.fc17, kde-l10n-4.10.4-1.fc17, kdelibs-4.10.4-1.fc17, kdemultimedia-4.10.4-1.fc17, kdenetwork-4.10.4-1.fc17, kdepim-4.10.4-1.fc17, kdepim-runtime-4.10.4-1.fc17, kde-print-manager-4.10.4-1.fc17, kde-runtime-4.10.4-1.fc17, kdesdk-4.10.4-1.fc17, kdetoys-4.10.4-1.fc17, kdeutils-4.10.4-1.fc17, kde-wallpapers-4.10.4-1.fc17, kde-workspace-4.10.4-1.fc17, kdf-4.10.4-1.fc17, kdiamond-4.10.4-1.fc17, kfloppy-4.10.4-1.fc17, kfourinline-4.10.4-1.fc17, kgamma-4.10.4-1.fc17, kgeography-4.10.4-1.fc17, kgoldrunner-4.10.4-1.fc17, kgpg-4.10.4-1.fc17, khangman-4.10.4-1.fc17, kig-4.10.4-1.fc17, kigo-4.10.4-1.fc17, killbots-4.10.4-1.fc17, kimono-4.10.4-1.fc17, kiriki-4.10.4-1.fc17, kiten-4.10.4-1.fc17, kjumpingcube-4.10.4-1.fc17, klettres-4.10.4-1.fc17, klickety-4.10.4-1.fc17, klines-4.10.4-1.fc17, kmag-4.10.4-1.fc17, kmahjongg-4.10.4-1.fc17, kmines-4.10.4-1.fc17, kmix-4.10.4-1.fc17, kmousetool-4.10.4-1.fc17, kmouth-4.10.4-1.fc17, kmplot-4.10.4-1.fc17, knavalbattle-4.10.4-1.fc17, knetwalk-4.10.4-1.fc17, kolf-4.10.4-1.fc17, kollision-4.10.4-1.fc17, kolourpaint-4.10.4-1.fc17, konquest-4.10.4-1.fc17, konsole-4.10.4-1.fc17, kpat-4.10.4-1.fc17, kremotecontrol-4.10.4-1.fc17, kreversi-4.10.4-1.fc17, kross-interpreters-4.10.4-1.fc17, kruler-4.10.4-1.fc17, ksaneplugin-4.10.4-1.fc17, kscd-4.10.4-1.fc17, kshisen-4.10.4-1.fc17, ksirk-4.10.4-1.fc17, ksnakeduel-4.10.4-1.fc17, ksnapshot-4.10.4-1.fc17, kspaceduel-4.10.4-1.fc17, ksquares-4.10.4-1.fc17, kstars-4.10.4-1.fc17, ksudoku-4.10.4-1.fc17, ktimer-4.10.4-1.fc17, ktouch-4.10.4-1.fc17, ktuberling-4.10.4-1.fc17, kturtle-4.10.4-1.fc17, kubrick-4.10.4-1.fc17, kwallet-4.10.4-1.fc17, kwordquiz-4.10.4-1.fc17, libkcddb-4.10.4-1.fc17, libkcompactdisc-4.10.4-1.fc17, libkdcraw-4.10.4-1.fc17, libkdeedu-4.10.4-1.fc17, libkdegames-4.10.4-1.fc17, libkexiv2-4.10.4-1.fc17, libkipi-4.10.4-1.fc17, libkmahjongg-4.10.4-1.fc17, libksane-4.10.4-1.fc17, lskat-4.10.4-1.fc17, marble-4.10.4-1.fc17, nepomuk-core-4.10.4-1.fc17, nepomuk-widgets-4.10.4-1.fc17, okular-4.10.4-1.fc17, oxygen-icon-theme-4.10.4-1.fc17, pairs-4.10.4-1.fc17, palapeli-4.10.4-1.fc17, parley-4.10.4-1.fc17, picmi-4.10.4-1.fc17, pykde4-4.10.4-1.fc17, qyoto-4.10.4-1.fc17, rocs-4.10.4-1.fc17, ruby-korundum-4.10.4-1.fc17, ruby-qt-4.10.4-1.fc17, smokegen-4.10.4-1.fc17, smokekde-4.10.4-1.fc17, smokeqt-4.10.4-1.fc17, step-4.10.4-1.fc17, superkaramba-4.10.4-1.fc17, svgpart-4.10.4-1.fc17, sweeper-4.10.4-1.fc17, kdeplasma-addons-4.10.4-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Michael Samuel 2013-06-19 23:08:15 EDT
That fix is not much better.  KRandom is just rand(), so there's only 2^32 possible seeds.
Comment 9 Jan Lieskovsky 2013-06-21 03:06:55 EDT
(In reply to Michael Samuel from comment #8)
> That fix is not much better.  KRandom is just rand(), so there's only 2^32
> possible seeds.

Thanks, Michael. Checking with Aaron J. Seigo, original CVE-2013-2120 patch author, what could be done to strengthen the patch yet (you were Cc-ed on that post).

Regards, Jan.
Comment 10 Michael Samuel 2013-06-21 05:58:10 EDT
I have a patch based on qca::random(), but was waiting for contact from KDE people, as I wasn't sure if qca needed some special initialization.

Also, the numbers charset has '0' twice - one of them needs to be removed.
Comment 12 Siddharth Sharma 2014-09-06 09:10:12 EDT
Statement:

This issue affects the versions of kdeplasma-addons as shipped with Red Hat Enterprise Linux 6. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.