Bug 969421 (CVE-2013-2120) - CVE-2013-2120 kdeplasma-addons: Weak passwords generated by PasteMacroExpander
Summary: CVE-2013-2120 kdeplasma-addons: Weak passwords generated by PasteMacroExpander
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-2120
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 969425
Blocks: 969428
TreeView+ depends on / blocked
 
Reported: 2013-05-31 11:47 UTC by Jan Lieskovsky
Modified: 2021-06-11 21:05 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-11 21:05:07 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2013-05-31 11:47:40 UTC
A security flaw was found in the way PasteMacroExpander of paste applet of kdeplasma-addons, a suite of additional plasmoids for KDE desktop environment, performed password generation / derivation for user provided string. An attacker could use this flaw to obtain plaintext form of such a password (possibly leading to their subsequent ability for unauthorized access to a service / resource, intended to be protected by such a password).

References:
[1] http://www.openwall.com/lists/oss-security/2013/05/28/5
[2] https://bugzilla.novell.com/show_bug.cgi?id=822595

Comment 1 Jan Lieskovsky 2013-05-31 11:50:08 UTC
This issue affects the version of the kdeplasma-addons package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the kdeplasma-addons package, as shipped with Fedora release of 17 and 18. Please schedule an update (once there is a final upstream patch available).

Comment 2 Jan Lieskovsky 2013-05-31 11:51:23 UTC
Created kdeplasma-addons tracking bugs for this issue

Affects: fedora-all [bug 969425]

Comment 4 Rex Dieter 2013-06-03 21:03:04 UTC
pulled into kdeplasma-4.10.4-2 builds

Comment 5 Fedora Update System 2013-06-07 04:40:41 UTC
analitza-4.10.4-1.fc19, ark-4.10.4-1.fc19, audiocd-kio-4.10.4-1.fc19, blinken-4.10.4-1.fc19, bomber-4.10.4-1.fc19, bovo-4.10.4-1.fc19, cantor-4.10.4-1.fc19, dragon-4.10.4-1.fc19, filelight-4.10.4-1.fc19, granatier-4.10.4-1.fc19, gwenview-4.10.4-1.fc19, jovie-4.10.4-1.fc19, juk-4.10.4-1.fc19, kaccessible-4.10.4-1.fc19, kactivities-4.10.4-1.fc19, kajongg-4.10.4-1.fc19, kalgebra-4.10.4-1.fc19, kalzium-4.10.4-1.fc19, kamera-4.10.4-1.fc19, kanagram-4.10.4-1.fc19, kapman-4.10.4-1.fc19, kate-4.10.4-1.fc19, katomic-4.10.4-1.fc19, kblackbox-4.10.4-1.fc19, kblocks-4.10.4-1.fc19, kbounce-4.10.4-1.fc19, kbreakout-4.10.4-1.fc19, kbruch-4.10.4-1.fc19, kcalc-4.10.4-1.fc19, kcharselect-4.10.4-1.fc19, kcolorchooser-4.10.4-1.fc19, kdeaccessibility-4.10.4-1.fc19, kdeadmin-4.10.4-1.fc19, kdeartwork-4.10.4-1.fc19, kde-baseapps-4.10.4-1.fc19, kde-base-artwork-4.10.4-1.fc19, kdebindings-4.10.4-1.fc19, kdeedu-4.10.4-1.fc19, kdegames-4.10.4-1.fc19, kdegraphics-4.10.4-1.fc19, kdegraphics-mobipocket-4.10.4-1.fc19, kdegraphics-strigi-analyzer-4.10.4-1.fc19, kdegraphics-thumbnailers-4.10.4-1.fc19, kde-l10n-4.10.4-1.fc19, kdelibs-4.10.4-1.fc19, kdemultimedia-4.10.4-1.fc19, kdenetwork-4.10.4-1.fc19, kdepim-4.10.4-1.fc19, kdepim-runtime-4.10.4-1.fc19.2, kde-print-manager-4.10.4-1.fc19, kde-runtime-4.10.4-1.fc19, kdesdk-4.10.4-1.fc19, kdetoys-4.10.4-1.fc19, kdeutils-4.10.4-1.fc19, kde-wallpapers-4.10.4-1.fc19, kde-workspace-4.10.4-1.fc19, kdf-4.10.4-1.fc19, kdiamond-4.10.4-1.fc19, kfloppy-4.10.4-1.fc19, kfourinline-4.10.4-1.fc19, kgamma-4.10.4-1.fc19, kgeography-4.10.4-1.fc19, kgoldrunner-4.10.4-1.fc19, kgpg-4.10.4-1.fc19, khangman-4.10.4-1.fc19, kig-4.10.4-1.fc19, kigo-4.10.4-1.fc19, killbots-4.10.4-1.fc19, kimono-4.10.4-1.fc19, kiriki-4.10.4-1.fc19, kiten-4.10.4-1.fc19, kjumpingcube-4.10.4-1.fc19, klettres-4.10.4-1.fc19, klickety-4.10.4-1.fc19, klines-4.10.4-1.fc19, kmag-4.10.4-1.fc19, kmahjongg-4.10.4-1.fc19, kmines-4.10.4-1.fc19, kmix-4.10.4-1.fc19, kmousetool-4.10.4-1.fc19, kmouth-4.10.4-1.fc19, kmplot-4.10.4-1.fc19, knavalbattle-4.10.4-1.fc19, knetwalk-4.10.4-1.fc19, kolf-4.10.4-1.fc19, kollision-4.10.4-1.fc19, kolourpaint-4.10.4-1.fc19, konquest-4.10.4-1.fc19, konsole-4.10.4-1.fc19, kpat-4.10.4-1.fc19, kremotecontrol-4.10.4-1.fc19, kreversi-4.10.4-1.fc19, kross-interpreters-4.10.4-1.fc19, kruler-4.10.4-1.fc19, ksaneplugin-4.10.4-1.fc19, kscd-4.10.4-1.fc19, kshisen-4.10.4-1.fc19, ksirk-4.10.4-1.fc19, ksnakeduel-4.10.4-1.fc19, ksnapshot-4.10.4-1.fc19, kspaceduel-4.10.4-1.fc19, ksquares-4.10.4-1.fc19, kstars-4.10.4-1.fc19, ksudoku-4.10.4-1.fc19, ktimer-4.10.4-1.fc19, ktouch-4.10.4-1.fc19, ktuberling-4.10.4-1.fc19, kturtle-4.10.4-1.fc19, kubrick-4.10.4-1.fc19, kwallet-4.10.4-1.fc19, kwordquiz-4.10.4-1.fc19, libkcddb-4.10.4-1.fc19, libkcompactdisc-4.10.4-1.fc19, libkdcraw-4.10.4-1.fc19, libkdeedu-4.10.4-1.fc19, libkdegames-4.10.4-1.fc19, libkexiv2-4.10.4-1.fc19, libkipi-4.10.4-1.fc19, libkmahjongg-4.10.4-1.fc19, libksane-4.10.4-1.fc19, lskat-4.10.4-1.fc19, marble-4.10.4-1.fc19, nepomuk-core-4.10.4-1.fc19, nepomuk-widgets-4.10.4-1.fc19, okular-4.10.4-1.fc19, oxygen-icon-theme-4.10.4-1.fc19, pairs-4.10.4-1.fc19, palapeli-4.10.4-1.fc19, parley-4.10.4-1.fc19, picmi-4.10.4-1.fc19, pykde4-4.10.4-1.fc19, qyoto-4.10.4-1.fc19, rocs-4.10.4-1.fc19, ruby-korundum-4.10.4-1.fc19, ruby-qt-4.10.4-1.fc19, smokegen-4.10.4-1.fc19, smokekde-4.10.4-1.fc19, smokeqt-4.10.4-1.fc19, step-4.10.4-1.fc19, superkaramba-4.10.4-1.fc19, svgpart-4.10.4-1.fc19, sweeper-4.10.4-1.fc19, kdepimlibs-4.10.4-2.fc19, kdeplasma-addons-4.10.4-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-06-12 02:29:11 UTC
kdeplasma-addons-4.10.4-2.fc18, analitza-4.10.4-1.fc18, ark-4.10.4-1.fc18, audiocd-kio-4.10.4-1.fc18, blinken-4.10.4-1.fc18, bomber-4.10.4-1.fc18, bovo-4.10.4-1.fc18, cantor-4.10.4-1.fc18, dragon-4.10.4-1.fc18, filelight-4.10.4-1.fc18, granatier-4.10.4-1.fc18, gwenview-4.10.4-1.fc18, jovie-4.10.4-1.fc18, juk-4.10.4-1.fc18, kaccessible-4.10.4-1.fc18, kactivities-4.10.4-1.fc18, kajongg-4.10.4-1.fc18, kalgebra-4.10.4-1.fc18, kalzium-4.10.4-1.fc18, kamera-4.10.4-1.fc18, kanagram-4.10.4-1.fc18, kapman-4.10.4-1.fc18, kate-4.10.4-1.fc18, katomic-4.10.4-1.fc18, kblackbox-4.10.4-1.fc18, kblocks-4.10.4-1.fc18, kbounce-4.10.4-1.fc18, kbreakout-4.10.4-1.fc18, kbruch-4.10.4-1.fc18, kcalc-4.10.4-1.fc18, kcharselect-4.10.4-1.fc18, kcolorchooser-4.10.4-1.fc18, kdeaccessibility-4.10.4-1.fc18, kdeadmin-4.10.4-1.fc18, kdeartwork-4.10.4-1.fc18, kde-baseapps-4.10.4-1.fc18, kde-base-artwork-4.10.4-1.fc18, kdebindings-4.10.4-1.fc18, kdeedu-4.10.4-1.fc18, kdegames-4.10.4-1.fc18, kdegraphics-4.10.4-1.fc18, kdegraphics-mobipocket-4.10.4-1.fc18, kdegraphics-strigi-analyzer-4.10.4-1.fc18, kdegraphics-thumbnailers-4.10.4-1.fc18, kde-l10n-4.10.4-1.fc18, kdelibs-4.10.4-1.fc18, kdemultimedia-4.10.4-1.fc18, kdenetwork-4.10.4-1.fc18, kdepim-4.10.4-1.fc18, kdepim-runtime-4.10.4-1.fc18.1, kde-print-manager-4.10.4-1.fc18, kde-runtime-4.10.4-1.fc18, kdesdk-4.10.4-1.fc18, kdetoys-4.10.4-1.fc18, kdeutils-4.10.4-1.fc18, kde-wallpapers-4.10.4-1.fc18, kde-workspace-4.10.4-1.fc18, kdf-4.10.4-1.fc18, kdiamond-4.10.4-1.fc18, kfloppy-4.10.4-1.fc18, kfourinline-4.10.4-1.fc18, kgamma-4.10.4-1.fc18, kgeography-4.10.4-1.fc18, kgoldrunner-4.10.4-1.fc18, kgpg-4.10.4-1.fc18, khangman-4.10.4-1.fc18, kig-4.10.4-1.fc18, kigo-4.10.4-1.fc18, killbots-4.10.4-1.fc18, kimono-4.10.4-1.fc18, kiriki-4.10.4-1.fc18, kiten-4.10.4-1.fc18, kjumpingcube-4.10.4-1.fc18, klettres-4.10.4-1.fc18, klickety-4.10.4-1.fc18, klines-4.10.4-1.fc18, kmag-4.10.4-1.fc18, kmahjongg-4.10.4-1.fc18, kmines-4.10.4-1.fc18, kmix-4.10.4-1.fc18, kmousetool-4.10.4-1.fc18, kmouth-4.10.4-1.fc18, kmplot-4.10.4-1.fc18, knavalbattle-4.10.4-1.fc18, knetwalk-4.10.4-1.fc18, kolf-4.10.4-1.fc18, kollision-4.10.4-1.fc18, kolourpaint-4.10.4-1.fc18, konquest-4.10.4-1.fc18, konsole-4.10.4-1.fc18, kpat-4.10.4-1.fc18, kremotecontrol-4.10.4-1.fc18, kreversi-4.10.4-1.fc18, kross-interpreters-4.10.4-1.fc18, kruler-4.10.4-1.fc18, ksaneplugin-4.10.4-1.fc18, kscd-4.10.4-1.fc18, kshisen-4.10.4-1.fc18, ksirk-4.10.4-1.fc18, ksnakeduel-4.10.4-1.fc18, ksnapshot-4.10.4-1.fc18, kspaceduel-4.10.4-1.fc18, ksquares-4.10.4-1.fc18, kstars-4.10.4-1.fc18, ksudoku-4.10.4-1.fc18, ktimer-4.10.4-1.fc18, ktouch-4.10.4-1.fc18, ktuberling-4.10.4-1.fc18, kturtle-4.10.4-1.fc18, kubrick-4.10.4-1.fc18, kwallet-4.10.4-1.fc18, kwordquiz-4.10.4-1.fc18, libkcddb-4.10.4-1.fc18, libkcompactdisc-4.10.4-1.fc18, libkdcraw-4.10.4-1.fc18, libkdeedu-4.10.4-1.fc18, libkdegames-4.10.4-1.fc18, libkexiv2-4.10.4-1.fc18, libkipi-4.10.4-1.fc18, libkmahjongg-4.10.4-1.fc18, libksane-4.10.4-1.fc18, lskat-4.10.4-1.fc18, marble-4.10.4-1.fc18, nepomuk-core-4.10.4-1.fc18, nepomuk-widgets-4.10.4-1.fc18, okular-4.10.4-1.fc18, oxygen-icon-theme-4.10.4-1.fc18, pairs-4.10.4-1.fc18, palapeli-4.10.4-1.fc18, parley-4.10.4-1.fc18, picmi-4.10.4-1.fc18, pykde4-4.10.4-1.fc18, qyoto-4.10.4-1.fc18, rocs-4.10.4-1.fc18, ruby-korundum-4.10.4-1.fc18, ruby-qt-4.10.4-1.fc18, smokegen-4.10.4-1.fc18, smokekde-4.10.4-1.fc18, smokeqt-4.10.4-1.fc18, step-4.10.4-1.fc18, superkaramba-4.10.4-1.fc18, svgpart-4.10.4-1.fc18, sweeper-4.10.4-1.fc18, kdepimlibs-4.10.4-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-06-16 05:36:05 UTC
kdepimlibs-4.10.4-2.fc17, analitza-4.10.4-1.fc17, ark-4.10.4-1.fc17, audiocd-kio-4.10.4-1.fc17, blinken-4.10.4-1.fc17, bomber-4.10.4-1.fc17, bovo-4.10.4-1.fc17, cantor-4.10.4-1.fc17, dragon-4.10.4-1.fc17, filelight-4.10.4-1.fc17, granatier-4.10.4-1.fc17, gwenview-4.10.4-1.fc17, jovie-4.10.4-1.fc17, juk-4.10.4-1.fc17, kaccessible-4.10.4-1.fc17, kactivities-4.10.4-1.fc17, kajongg-4.10.4-1.fc17, kalgebra-4.10.4-1.fc17, kalzium-4.10.4-1.fc17, kamera-4.10.4-1.fc17, kanagram-4.10.4-1.fc17, kapman-4.10.4-1.fc17, kate-4.10.4-1.fc17, katomic-4.10.4-1.fc17, kblackbox-4.10.4-1.fc17, kblocks-4.10.4-1.fc17, kbounce-4.10.4-1.fc17, kbreakout-4.10.4-1.fc17, kbruch-4.10.4-1.fc17, kcalc-4.10.4-1.fc17, kcharselect-4.10.4-1.fc17, kcolorchooser-4.10.4-1.fc17, kdeaccessibility-4.10.4-1.fc17, kdeadmin-4.10.4-1.fc17, kdeartwork-4.10.4-1.fc17, kde-baseapps-4.10.4-1.fc17, kde-base-artwork-4.10.4-1.fc17, kdebindings-4.10.4-1.fc17, kdeedu-4.10.4-1.fc17, kdegames-4.10.4-1.fc17, kdegraphics-4.10.4-1.fc17, kdegraphics-mobipocket-4.10.4-1.fc17, kdegraphics-strigi-analyzer-4.10.4-1.fc17, kdegraphics-thumbnailers-4.10.4-1.fc17, kde-l10n-4.10.4-1.fc17, kdelibs-4.10.4-1.fc17, kdemultimedia-4.10.4-1.fc17, kdenetwork-4.10.4-1.fc17, kdepim-4.10.4-1.fc17, kdepim-runtime-4.10.4-1.fc17, kde-print-manager-4.10.4-1.fc17, kde-runtime-4.10.4-1.fc17, kdesdk-4.10.4-1.fc17, kdetoys-4.10.4-1.fc17, kdeutils-4.10.4-1.fc17, kde-wallpapers-4.10.4-1.fc17, kde-workspace-4.10.4-1.fc17, kdf-4.10.4-1.fc17, kdiamond-4.10.4-1.fc17, kfloppy-4.10.4-1.fc17, kfourinline-4.10.4-1.fc17, kgamma-4.10.4-1.fc17, kgeography-4.10.4-1.fc17, kgoldrunner-4.10.4-1.fc17, kgpg-4.10.4-1.fc17, khangman-4.10.4-1.fc17, kig-4.10.4-1.fc17, kigo-4.10.4-1.fc17, killbots-4.10.4-1.fc17, kimono-4.10.4-1.fc17, kiriki-4.10.4-1.fc17, kiten-4.10.4-1.fc17, kjumpingcube-4.10.4-1.fc17, klettres-4.10.4-1.fc17, klickety-4.10.4-1.fc17, klines-4.10.4-1.fc17, kmag-4.10.4-1.fc17, kmahjongg-4.10.4-1.fc17, kmines-4.10.4-1.fc17, kmix-4.10.4-1.fc17, kmousetool-4.10.4-1.fc17, kmouth-4.10.4-1.fc17, kmplot-4.10.4-1.fc17, knavalbattle-4.10.4-1.fc17, knetwalk-4.10.4-1.fc17, kolf-4.10.4-1.fc17, kollision-4.10.4-1.fc17, kolourpaint-4.10.4-1.fc17, konquest-4.10.4-1.fc17, konsole-4.10.4-1.fc17, kpat-4.10.4-1.fc17, kremotecontrol-4.10.4-1.fc17, kreversi-4.10.4-1.fc17, kross-interpreters-4.10.4-1.fc17, kruler-4.10.4-1.fc17, ksaneplugin-4.10.4-1.fc17, kscd-4.10.4-1.fc17, kshisen-4.10.4-1.fc17, ksirk-4.10.4-1.fc17, ksnakeduel-4.10.4-1.fc17, ksnapshot-4.10.4-1.fc17, kspaceduel-4.10.4-1.fc17, ksquares-4.10.4-1.fc17, kstars-4.10.4-1.fc17, ksudoku-4.10.4-1.fc17, ktimer-4.10.4-1.fc17, ktouch-4.10.4-1.fc17, ktuberling-4.10.4-1.fc17, kturtle-4.10.4-1.fc17, kubrick-4.10.4-1.fc17, kwallet-4.10.4-1.fc17, kwordquiz-4.10.4-1.fc17, libkcddb-4.10.4-1.fc17, libkcompactdisc-4.10.4-1.fc17, libkdcraw-4.10.4-1.fc17, libkdeedu-4.10.4-1.fc17, libkdegames-4.10.4-1.fc17, libkexiv2-4.10.4-1.fc17, libkipi-4.10.4-1.fc17, libkmahjongg-4.10.4-1.fc17, libksane-4.10.4-1.fc17, lskat-4.10.4-1.fc17, marble-4.10.4-1.fc17, nepomuk-core-4.10.4-1.fc17, nepomuk-widgets-4.10.4-1.fc17, okular-4.10.4-1.fc17, oxygen-icon-theme-4.10.4-1.fc17, pairs-4.10.4-1.fc17, palapeli-4.10.4-1.fc17, parley-4.10.4-1.fc17, picmi-4.10.4-1.fc17, pykde4-4.10.4-1.fc17, qyoto-4.10.4-1.fc17, rocs-4.10.4-1.fc17, ruby-korundum-4.10.4-1.fc17, ruby-qt-4.10.4-1.fc17, smokegen-4.10.4-1.fc17, smokekde-4.10.4-1.fc17, smokeqt-4.10.4-1.fc17, step-4.10.4-1.fc17, superkaramba-4.10.4-1.fc17, svgpart-4.10.4-1.fc17, sweeper-4.10.4-1.fc17, kdeplasma-addons-4.10.4-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Michael Samuel 2013-06-20 03:08:15 UTC
That fix is not much better.  KRandom is just rand(), so there's only 2^32 possible seeds.

Comment 9 Jan Lieskovsky 2013-06-21 07:06:55 UTC
(In reply to Michael Samuel from comment #8)
> That fix is not much better.  KRandom is just rand(), so there's only 2^32
> possible seeds.

Thanks, Michael. Checking with Aaron J. Seigo, original CVE-2013-2120 patch author, what could be done to strengthen the patch yet (you were Cc-ed on that post).

Regards, Jan.

Comment 10 Michael Samuel 2013-06-21 09:58:10 UTC
I have a patch based on qca::random(), but was waiting for contact from KDE people, as I wasn't sure if qca needed some special initialization.

Also, the numbers charset has '0' twice - one of them needs to be removed.

Comment 13 Product Security DevOps Team 2021-06-11 21:05:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2013-2120


Note You need to log in before you can comment on or make changes to this bug.