Bug#832935: kpcli: Perl's rand() is not cryptographically secure. Patch included

Fri, 29 Jul 2016 11:21:29 -0700 

Package: kpcli
Version: 2.7-1
Severity: normal

kpcli uses rand() for its RNG, which is not cryptographically secure [0]. A
drop in replacement would be to use Math::Random::ISAAC [1] which provides a
rand() subroutine via the `libmath-random-isaac-perl' package, which should be
provided as a dependency, with the following patch:

    --- /usr/bin/kpcli  2016-07-29 11:09:21.641197137 -0600
    +++ /tmp/kpcli      2016-07-29 11:09:18.501285457 -0600
    @@ -38,6 +38,7 @@
     use Term::ReadKey;           # non-core, libterm-readkey-perl on Ubuntu
     use Term::ShellUI;           # non-core, libterm-shellui-perl on Ubuntu
     use File::KeePass 0.03;      # non-core, libfile-keepass-perl on Ubuntu
    +use Math::Random::ISAAC qw(rand); # non-core, libmath-random-isaac-perl on 
Debian
                                  #  - >=v0.03 needed due critical bug fixes
     # Pull in optional perl modules with run-time loading
     my %OPTIONAL_PM=();

Provided some brief testing, I cannot find any usability bugs this patch
presents by replacing the Perl core rand() with Math::Random::ISAAC. This does
mean that kpcli will now need to depend on `libmath-random-isaac-perl'.

    0. http://perldoc.perl.org/functions/rand.html
    1. http://www.perlmonks.org/bare/?node_id=465675

This bug was reported upstream, but the developer closed the bug and marked it
as invalid, without any response as to why [2].

    2. https://sourceforge.net/p/kpcli/bugs/30/

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages kpcli depends on:
ii  libclone-perl              0.38-2
ii  libcrypt-rijndael-perl     1.13-1+b1
ii  libfile-keepass-perl       2.03-1
ii  libsort-naturally-perl     1.03-1
ii  libterm-readkey-perl       2.33-1+b1
ii  libterm-readline-gnu-perl  1.34-1
ii  libterm-shellui-perl       0.92-2
ii  perl                       5.22.2-3

Versions of packages kpcli recommends:
ii  libcapture-tiny-perl   0.42-1
ii  libdata-password-perl  1.12-1

kpcli suggests no packages.

-- no debconf information

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

Attachment: signature.asc
Description: PGP signature

Reply via email to