[kde-base/kdeplasma-addons] Backport patch from upstream to fix CVE-2013-2120 wrt bug #471904 by kensington.

Package-Manager: portage-2.2.0_alpha177

2 files changed, 84 insertions, 1 deletions

diff --git a/kde-base/kdeplasma-addons/files/kdeplasma-addons-4.10.3-cve-2013-2120.patch b/kde-base/kdeplasma-addons/files/kdeplasma-addons-4.10.3-cve-2013-2120.patch
new file mode 100644
index 00000000000..88d78794a5e
--- /dev/null
+++ b/kde-base/kdeplasma-addons/files/kdeplasma-addons-4.10.3-cve-2013-2120.patch
@@ -0,0 +1,81 @@
+From d84015218bf78b707650cf5426ae1a469d37c29d Mon Sep 17 00:00:00 2001
+From: Aaron Seigo <aseigo@kde.org>
+Date: Mon, 3 Jun 2013 19:16:32 +0200
+Subject: [PATCH] use KRandom, avoid modulo bias
+
+---
+ applets/paste/pastemacroexpander.cpp | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/applets/paste/pastemacroexpander.cpp b/applets/paste/pastemacroexpander.cpp
+index ea6163f..d0a8b49 100644
+--- a/applets/paste/pastemacroexpander.cpp
++++ b/applets/paste/pastemacroexpander.cpp
+@@ -27,6 +27,7 @@
+ #include <KDebug>
+ #include <KLocale>
+ #include <KMessageBox>
++#include <KRandom>
+ 
+ class PasteMacroExpanderSingleton
+ {
+@@ -142,35 +143,49 @@ QString PasteMacroExpander::password(const QString& args)
+             << "01234567890"
+             << "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
+ 
+-    int charCount;
++    int charCount = 8;
+     QString chars;
+     QString result;
+ 
+     if (a.count() > 0) {
+-        charCount = qMax(a[0].trimmed().toInt(), 1);
+-    } else {
+-        charCount = 8;
++        charCount = qMax(a[0].trimmed().toInt(), 8);
+     }
++
+     if (a.count() < 2) {
+         chars = characterSets.join("");
+     }
++
+     if (a.count() > 1) {
+         chars += (a[1].trimmed() == "true") ? characterSets[0] : "";
+     }
++
+     if (a.count() > 2) {
+         chars += (a[2].trimmed() == "true") ? characterSets[1] : "";
+     }
++
+     if (a.count() > 3) {
+         chars += (a[3].trimmed() == "true") ? characterSets[2] : "";
+     }
++
+     if (a.count() > 4) {
+         chars += (a[4].trimmed() == "true") ? characterSets[3] : "";
+     }
+ 
+-    QDateTime now = QDateTime::currentDateTime();
+-    qsrand(now.toTime_t() / now.time().msec());
++    const int setSize = chars.count();
++    const int top = (RAND_MAX / setSize) * setSize;
++    kDebug() << "topping out at " << setSize << RAND_MAX << top;
+     for (int i = 0; i < charCount; ++i) {
+-        result += chars[qrand() % chars.count()];
++        // to prevent modulo bias, discard random numbers at the
++        // 'top end' of INT_MAX
++        int rand = -1;
++        do {
++            if (rand > 0) {
++                kDebug() << "Ha!" << rand;
++            }
++            rand = KRandom::random();
++        } while (rand >= top);
++
++        result += chars[rand % setSize];
+     }
+     //kDebug() << result;
+     return result;
+-- 
+1.8.2.1
+
diff --git a/kde-base/kdeplasma-addons/kdeplasma-addons-4.10.4.ebuild b/kde-base/kdeplasma-addons/kdeplasma-addons-4.10.4.ebuild
index be3662d0e32..0b3cf52b8a6 100644
--- a/kde-base/kdeplasma-addons/kdeplasma-addons-4.10.4.ebuild
+++ b/kde-base/kdeplasma-addons/kdeplasma-addons-4.10.4.ebuild
@@ -8,7 +8,7 @@ inherit kde4-base
 
 DESCRIPTION="Extra Plasma applets and engines"
 LICENSE="GPL-2 LGPL-2"
-KEYWORDS=" ~amd64 ~arm ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux"
+KEYWORDS="~amd64 ~arm ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux"
 IUSE="attica debug desktopglobe exif fcitx ibus json oauth qalculate qwt scim
 semantic-desktop"
 
@@ -44,6 +44,8 @@ DEPEND="${COMMON_DEPEND}
 RDEPEND="${COMMON_DEPEND}
 "
 
+PATCHES=( "${FILESDIR}/${PN}-4.10.3-cve-2013-2120.patch" )
+
 src_configure() {
 	mycmakeargs=(
 		-DDBUS_INTERFACES_INSTALL_DIR="${EPREFIX}/usr/share/dbus-1/interfaces/"