A security flaw was found in the way PasteMacroExpander of paste applet of kdeplasma-addons, a suite of additional plasmoids for KDE desktop environment, performed password generation / derivation for user provided string. An attacker could use this flaw to obtain plaintext form of such a password (possibly leading to their subsequent ability for unauthorized access to a service / resource, intended to be protected by such a password). References: [1] http://www.openwall.com/lists/oss-security/2013/05/28/5 [2] https://bugzilla.novell.com/show_bug.cgi?id=822595
This issue affects the version of the kdeplasma-addons package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the kdeplasma-addons package, as shipped with Fedora release of 17 and 18. Please schedule an update (once there is a final upstream patch available).
Created kdeplasma-addons tracking bugs for this issue Affects: fedora-all [bug 969425]
Upstream fix: https://projects.kde.org/projects/kde/kdeplasma-addons/repository/revisions/36a1fe49cb70f717c4a6e9eeee2c9186503a8dce
pulled into kdeplasma-4.10.4-2 builds
analitza-4.10.4-1.fc19, ark-4.10.4-1.fc19, audiocd-kio-4.10.4-1.fc19, blinken-4.10.4-1.fc19, bomber-4.10.4-1.fc19, bovo-4.10.4-1.fc19, cantor-4.10.4-1.fc19, dragon-4.10.4-1.fc19, filelight-4.10.4-1.fc19, granatier-4.10.4-1.fc19, gwenview-4.10.4-1.fc19, jovie-4.10.4-1.fc19, juk-4.10.4-1.fc19, kaccessible-4.10.4-1.fc19, kactivities-4.10.4-1.fc19, kajongg-4.10.4-1.fc19, kalgebra-4.10.4-1.fc19, kalzium-4.10.4-1.fc19, kamera-4.10.4-1.fc19, kanagram-4.10.4-1.fc19, kapman-4.10.4-1.fc19, kate-4.10.4-1.fc19, katomic-4.10.4-1.fc19, kblackbox-4.10.4-1.fc19, kblocks-4.10.4-1.fc19, kbounce-4.10.4-1.fc19, kbreakout-4.10.4-1.fc19, kbruch-4.10.4-1.fc19, kcalc-4.10.4-1.fc19, kcharselect-4.10.4-1.fc19, kcolorchooser-4.10.4-1.fc19, kdeaccessibility-4.10.4-1.fc19, kdeadmin-4.10.4-1.fc19, kdeartwork-4.10.4-1.fc19, kde-baseapps-4.10.4-1.fc19, kde-base-artwork-4.10.4-1.fc19, kdebindings-4.10.4-1.fc19, kdeedu-4.10.4-1.fc19, kdegames-4.10.4-1.fc19, kdegraphics-4.10.4-1.fc19, kdegraphics-mobipocket-4.10.4-1.fc19, kdegraphics-strigi-analyzer-4.10.4-1.fc19, kdegraphics-thumbnailers-4.10.4-1.fc19, kde-l10n-4.10.4-1.fc19, kdelibs-4.10.4-1.fc19, kdemultimedia-4.10.4-1.fc19, kdenetwork-4.10.4-1.fc19, kdepim-4.10.4-1.fc19, kdepim-runtime-4.10.4-1.fc19.2, kde-print-manager-4.10.4-1.fc19, kde-runtime-4.10.4-1.fc19, kdesdk-4.10.4-1.fc19, kdetoys-4.10.4-1.fc19, kdeutils-4.10.4-1.fc19, kde-wallpapers-4.10.4-1.fc19, kde-workspace-4.10.4-1.fc19, kdf-4.10.4-1.fc19, kdiamond-4.10.4-1.fc19, kfloppy-4.10.4-1.fc19, kfourinline-4.10.4-1.fc19, kgamma-4.10.4-1.fc19, kgeography-4.10.4-1.fc19, kgoldrunner-4.10.4-1.fc19, kgpg-4.10.4-1.fc19, khangman-4.10.4-1.fc19, kig-4.10.4-1.fc19, kigo-4.10.4-1.fc19, killbots-4.10.4-1.fc19, kimono-4.10.4-1.fc19, kiriki-4.10.4-1.fc19, kiten-4.10.4-1.fc19, kjumpingcube-4.10.4-1.fc19, klettres-4.10.4-1.fc19, klickety-4.10.4-1.fc19, klines-4.10.4-1.fc19, kmag-4.10.4-1.fc19, kmahjongg-4.10.4-1.fc19, kmines-4.10.4-1.fc19, kmix-4.10.4-1.fc19, kmousetool-4.10.4-1.fc19, kmouth-4.10.4-1.fc19, kmplot-4.10.4-1.fc19, knavalbattle-4.10.4-1.fc19, knetwalk-4.10.4-1.fc19, kolf-4.10.4-1.fc19, kollision-4.10.4-1.fc19, kolourpaint-4.10.4-1.fc19, konquest-4.10.4-1.fc19, konsole-4.10.4-1.fc19, kpat-4.10.4-1.fc19, kremotecontrol-4.10.4-1.fc19, kreversi-4.10.4-1.fc19, kross-interpreters-4.10.4-1.fc19, kruler-4.10.4-1.fc19, ksaneplugin-4.10.4-1.fc19, kscd-4.10.4-1.fc19, kshisen-4.10.4-1.fc19, ksirk-4.10.4-1.fc19, ksnakeduel-4.10.4-1.fc19, ksnapshot-4.10.4-1.fc19, kspaceduel-4.10.4-1.fc19, ksquares-4.10.4-1.fc19, kstars-4.10.4-1.fc19, ksudoku-4.10.4-1.fc19, ktimer-4.10.4-1.fc19, ktouch-4.10.4-1.fc19, ktuberling-4.10.4-1.fc19, kturtle-4.10.4-1.fc19, kubrick-4.10.4-1.fc19, kwallet-4.10.4-1.fc19, kwordquiz-4.10.4-1.fc19, libkcddb-4.10.4-1.fc19, libkcompactdisc-4.10.4-1.fc19, libkdcraw-4.10.4-1.fc19, libkdeedu-4.10.4-1.fc19, libkdegames-4.10.4-1.fc19, libkexiv2-4.10.4-1.fc19, libkipi-4.10.4-1.fc19, libkmahjongg-4.10.4-1.fc19, libksane-4.10.4-1.fc19, lskat-4.10.4-1.fc19, marble-4.10.4-1.fc19, nepomuk-core-4.10.4-1.fc19, nepomuk-widgets-4.10.4-1.fc19, okular-4.10.4-1.fc19, oxygen-icon-theme-4.10.4-1.fc19, pairs-4.10.4-1.fc19, palapeli-4.10.4-1.fc19, parley-4.10.4-1.fc19, picmi-4.10.4-1.fc19, pykde4-4.10.4-1.fc19, qyoto-4.10.4-1.fc19, rocs-4.10.4-1.fc19, ruby-korundum-4.10.4-1.fc19, ruby-qt-4.10.4-1.fc19, smokegen-4.10.4-1.fc19, smokekde-4.10.4-1.fc19, smokeqt-4.10.4-1.fc19, step-4.10.4-1.fc19, superkaramba-4.10.4-1.fc19, svgpart-4.10.4-1.fc19, sweeper-4.10.4-1.fc19, kdepimlibs-4.10.4-2.fc19, kdeplasma-addons-4.10.4-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
kdeplasma-addons-4.10.4-2.fc18, analitza-4.10.4-1.fc18, ark-4.10.4-1.fc18, audiocd-kio-4.10.4-1.fc18, blinken-4.10.4-1.fc18, bomber-4.10.4-1.fc18, bovo-4.10.4-1.fc18, cantor-4.10.4-1.fc18, dragon-4.10.4-1.fc18, filelight-4.10.4-1.fc18, granatier-4.10.4-1.fc18, gwenview-4.10.4-1.fc18, jovie-4.10.4-1.fc18, juk-4.10.4-1.fc18, kaccessible-4.10.4-1.fc18, kactivities-4.10.4-1.fc18, kajongg-4.10.4-1.fc18, kalgebra-4.10.4-1.fc18, kalzium-4.10.4-1.fc18, kamera-4.10.4-1.fc18, kanagram-4.10.4-1.fc18, kapman-4.10.4-1.fc18, kate-4.10.4-1.fc18, katomic-4.10.4-1.fc18, kblackbox-4.10.4-1.fc18, kblocks-4.10.4-1.fc18, kbounce-4.10.4-1.fc18, kbreakout-4.10.4-1.fc18, kbruch-4.10.4-1.fc18, kcalc-4.10.4-1.fc18, kcharselect-4.10.4-1.fc18, kcolorchooser-4.10.4-1.fc18, kdeaccessibility-4.10.4-1.fc18, kdeadmin-4.10.4-1.fc18, kdeartwork-4.10.4-1.fc18, kde-baseapps-4.10.4-1.fc18, kde-base-artwork-4.10.4-1.fc18, kdebindings-4.10.4-1.fc18, kdeedu-4.10.4-1.fc18, kdegames-4.10.4-1.fc18, kdegraphics-4.10.4-1.fc18, kdegraphics-mobipocket-4.10.4-1.fc18, kdegraphics-strigi-analyzer-4.10.4-1.fc18, kdegraphics-thumbnailers-4.10.4-1.fc18, kde-l10n-4.10.4-1.fc18, kdelibs-4.10.4-1.fc18, kdemultimedia-4.10.4-1.fc18, kdenetwork-4.10.4-1.fc18, kdepim-4.10.4-1.fc18, kdepim-runtime-4.10.4-1.fc18.1, kde-print-manager-4.10.4-1.fc18, kde-runtime-4.10.4-1.fc18, kdesdk-4.10.4-1.fc18, kdetoys-4.10.4-1.fc18, kdeutils-4.10.4-1.fc18, kde-wallpapers-4.10.4-1.fc18, kde-workspace-4.10.4-1.fc18, kdf-4.10.4-1.fc18, kdiamond-4.10.4-1.fc18, kfloppy-4.10.4-1.fc18, kfourinline-4.10.4-1.fc18, kgamma-4.10.4-1.fc18, kgeography-4.10.4-1.fc18, kgoldrunner-4.10.4-1.fc18, kgpg-4.10.4-1.fc18, khangman-4.10.4-1.fc18, kig-4.10.4-1.fc18, kigo-4.10.4-1.fc18, killbots-4.10.4-1.fc18, kimono-4.10.4-1.fc18, kiriki-4.10.4-1.fc18, kiten-4.10.4-1.fc18, kjumpingcube-4.10.4-1.fc18, klettres-4.10.4-1.fc18, klickety-4.10.4-1.fc18, klines-4.10.4-1.fc18, kmag-4.10.4-1.fc18, kmahjongg-4.10.4-1.fc18, kmines-4.10.4-1.fc18, kmix-4.10.4-1.fc18, kmousetool-4.10.4-1.fc18, kmouth-4.10.4-1.fc18, kmplot-4.10.4-1.fc18, knavalbattle-4.10.4-1.fc18, knetwalk-4.10.4-1.fc18, kolf-4.10.4-1.fc18, kollision-4.10.4-1.fc18, kolourpaint-4.10.4-1.fc18, konquest-4.10.4-1.fc18, konsole-4.10.4-1.fc18, kpat-4.10.4-1.fc18, kremotecontrol-4.10.4-1.fc18, kreversi-4.10.4-1.fc18, kross-interpreters-4.10.4-1.fc18, kruler-4.10.4-1.fc18, ksaneplugin-4.10.4-1.fc18, kscd-4.10.4-1.fc18, kshisen-4.10.4-1.fc18, ksirk-4.10.4-1.fc18, ksnakeduel-4.10.4-1.fc18, ksnapshot-4.10.4-1.fc18, kspaceduel-4.10.4-1.fc18, ksquares-4.10.4-1.fc18, kstars-4.10.4-1.fc18, ksudoku-4.10.4-1.fc18, ktimer-4.10.4-1.fc18, ktouch-4.10.4-1.fc18, ktuberling-4.10.4-1.fc18, kturtle-4.10.4-1.fc18, kubrick-4.10.4-1.fc18, kwallet-4.10.4-1.fc18, kwordquiz-4.10.4-1.fc18, libkcddb-4.10.4-1.fc18, libkcompactdisc-4.10.4-1.fc18, libkdcraw-4.10.4-1.fc18, libkdeedu-4.10.4-1.fc18, libkdegames-4.10.4-1.fc18, libkexiv2-4.10.4-1.fc18, libkipi-4.10.4-1.fc18, libkmahjongg-4.10.4-1.fc18, libksane-4.10.4-1.fc18, lskat-4.10.4-1.fc18, marble-4.10.4-1.fc18, nepomuk-core-4.10.4-1.fc18, nepomuk-widgets-4.10.4-1.fc18, okular-4.10.4-1.fc18, oxygen-icon-theme-4.10.4-1.fc18, pairs-4.10.4-1.fc18, palapeli-4.10.4-1.fc18, parley-4.10.4-1.fc18, picmi-4.10.4-1.fc18, pykde4-4.10.4-1.fc18, qyoto-4.10.4-1.fc18, rocs-4.10.4-1.fc18, ruby-korundum-4.10.4-1.fc18, ruby-qt-4.10.4-1.fc18, smokegen-4.10.4-1.fc18, smokekde-4.10.4-1.fc18, smokeqt-4.10.4-1.fc18, step-4.10.4-1.fc18, superkaramba-4.10.4-1.fc18, svgpart-4.10.4-1.fc18, sweeper-4.10.4-1.fc18, kdepimlibs-4.10.4-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
kdepimlibs-4.10.4-2.fc17, analitza-4.10.4-1.fc17, ark-4.10.4-1.fc17, audiocd-kio-4.10.4-1.fc17, blinken-4.10.4-1.fc17, bomber-4.10.4-1.fc17, bovo-4.10.4-1.fc17, cantor-4.10.4-1.fc17, dragon-4.10.4-1.fc17, filelight-4.10.4-1.fc17, granatier-4.10.4-1.fc17, gwenview-4.10.4-1.fc17, jovie-4.10.4-1.fc17, juk-4.10.4-1.fc17, kaccessible-4.10.4-1.fc17, kactivities-4.10.4-1.fc17, kajongg-4.10.4-1.fc17, kalgebra-4.10.4-1.fc17, kalzium-4.10.4-1.fc17, kamera-4.10.4-1.fc17, kanagram-4.10.4-1.fc17, kapman-4.10.4-1.fc17, kate-4.10.4-1.fc17, katomic-4.10.4-1.fc17, kblackbox-4.10.4-1.fc17, kblocks-4.10.4-1.fc17, kbounce-4.10.4-1.fc17, kbreakout-4.10.4-1.fc17, kbruch-4.10.4-1.fc17, kcalc-4.10.4-1.fc17, kcharselect-4.10.4-1.fc17, kcolorchooser-4.10.4-1.fc17, kdeaccessibility-4.10.4-1.fc17, kdeadmin-4.10.4-1.fc17, kdeartwork-4.10.4-1.fc17, kde-baseapps-4.10.4-1.fc17, kde-base-artwork-4.10.4-1.fc17, kdebindings-4.10.4-1.fc17, kdeedu-4.10.4-1.fc17, kdegames-4.10.4-1.fc17, kdegraphics-4.10.4-1.fc17, kdegraphics-mobipocket-4.10.4-1.fc17, kdegraphics-strigi-analyzer-4.10.4-1.fc17, kdegraphics-thumbnailers-4.10.4-1.fc17, kde-l10n-4.10.4-1.fc17, kdelibs-4.10.4-1.fc17, kdemultimedia-4.10.4-1.fc17, kdenetwork-4.10.4-1.fc17, kdepim-4.10.4-1.fc17, kdepim-runtime-4.10.4-1.fc17, kde-print-manager-4.10.4-1.fc17, kde-runtime-4.10.4-1.fc17, kdesdk-4.10.4-1.fc17, kdetoys-4.10.4-1.fc17, kdeutils-4.10.4-1.fc17, kde-wallpapers-4.10.4-1.fc17, kde-workspace-4.10.4-1.fc17, kdf-4.10.4-1.fc17, kdiamond-4.10.4-1.fc17, kfloppy-4.10.4-1.fc17, kfourinline-4.10.4-1.fc17, kgamma-4.10.4-1.fc17, kgeography-4.10.4-1.fc17, kgoldrunner-4.10.4-1.fc17, kgpg-4.10.4-1.fc17, khangman-4.10.4-1.fc17, kig-4.10.4-1.fc17, kigo-4.10.4-1.fc17, killbots-4.10.4-1.fc17, kimono-4.10.4-1.fc17, kiriki-4.10.4-1.fc17, kiten-4.10.4-1.fc17, kjumpingcube-4.10.4-1.fc17, klettres-4.10.4-1.fc17, klickety-4.10.4-1.fc17, klines-4.10.4-1.fc17, kmag-4.10.4-1.fc17, kmahjongg-4.10.4-1.fc17, kmines-4.10.4-1.fc17, kmix-4.10.4-1.fc17, kmousetool-4.10.4-1.fc17, kmouth-4.10.4-1.fc17, kmplot-4.10.4-1.fc17, knavalbattle-4.10.4-1.fc17, knetwalk-4.10.4-1.fc17, kolf-4.10.4-1.fc17, kollision-4.10.4-1.fc17, kolourpaint-4.10.4-1.fc17, konquest-4.10.4-1.fc17, konsole-4.10.4-1.fc17, kpat-4.10.4-1.fc17, kremotecontrol-4.10.4-1.fc17, kreversi-4.10.4-1.fc17, kross-interpreters-4.10.4-1.fc17, kruler-4.10.4-1.fc17, ksaneplugin-4.10.4-1.fc17, kscd-4.10.4-1.fc17, kshisen-4.10.4-1.fc17, ksirk-4.10.4-1.fc17, ksnakeduel-4.10.4-1.fc17, ksnapshot-4.10.4-1.fc17, kspaceduel-4.10.4-1.fc17, ksquares-4.10.4-1.fc17, kstars-4.10.4-1.fc17, ksudoku-4.10.4-1.fc17, ktimer-4.10.4-1.fc17, ktouch-4.10.4-1.fc17, ktuberling-4.10.4-1.fc17, kturtle-4.10.4-1.fc17, kubrick-4.10.4-1.fc17, kwallet-4.10.4-1.fc17, kwordquiz-4.10.4-1.fc17, libkcddb-4.10.4-1.fc17, libkcompactdisc-4.10.4-1.fc17, libkdcraw-4.10.4-1.fc17, libkdeedu-4.10.4-1.fc17, libkdegames-4.10.4-1.fc17, libkexiv2-4.10.4-1.fc17, libkipi-4.10.4-1.fc17, libkmahjongg-4.10.4-1.fc17, libksane-4.10.4-1.fc17, lskat-4.10.4-1.fc17, marble-4.10.4-1.fc17, nepomuk-core-4.10.4-1.fc17, nepomuk-widgets-4.10.4-1.fc17, okular-4.10.4-1.fc17, oxygen-icon-theme-4.10.4-1.fc17, pairs-4.10.4-1.fc17, palapeli-4.10.4-1.fc17, parley-4.10.4-1.fc17, picmi-4.10.4-1.fc17, pykde4-4.10.4-1.fc17, qyoto-4.10.4-1.fc17, rocs-4.10.4-1.fc17, ruby-korundum-4.10.4-1.fc17, ruby-qt-4.10.4-1.fc17, smokegen-4.10.4-1.fc17, smokekde-4.10.4-1.fc17, smokeqt-4.10.4-1.fc17, step-4.10.4-1.fc17, superkaramba-4.10.4-1.fc17, svgpart-4.10.4-1.fc17, sweeper-4.10.4-1.fc17, kdeplasma-addons-4.10.4-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
That fix is not much better. KRandom is just rand(), so there's only 2^32 possible seeds.
(In reply to Michael Samuel from comment #8) > That fix is not much better. KRandom is just rand(), so there's only 2^32 > possible seeds. Thanks, Michael. Checking with Aaron J. Seigo, original CVE-2013-2120 patch author, what could be done to strengthen the patch yet (you were Cc-ed on that post). Regards, Jan.
I have a patch based on qca::random(), but was waiting for contact from KDE people, as I wasn't sure if qca needed some special initialization. Also, the numbers charset has '0' twice - one of them needs to be removed.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2013-2120