Hello community, here is the log from the commit of package libxslt for openSUSE:Factory checked in at 2017-04-11 09:30:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxslt (Old) and /work/SRC/openSUSE:Factory/.libxslt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxslt" Tue Apr 11 09:30:05 2017 rev:50 rq:486319 version:1.1.29 Changes: -------- --- /work/SRC/openSUSE:Factory/libxslt/libxslt.changes 2017-03-16 09:34:27.266908559 +0100 +++ /work/SRC/openSUSE:Factory/.libxslt.new/libxslt.changes 2017-04-11 09:30:07.084595939 +0200 @@ -1,0 +2,7 @@ +Wed Apr 5 07:46:27 UTC 2017 - [email protected] + +- security update: initialize random generator, CVE-2015-9019 + [bsc#934119] + + libxslt-random-seed.patch + +------------------------------------------------------------------- New: ---- libxslt-random-seed.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxslt.spec ++++++ --- /var/tmp/diff_new_pack.p01DKv/_old 2017-04-11 09:30:09.240291488 +0200 +++ /var/tmp/diff_new_pack.p01DKv/_new 2017-04-11 09:30:09.244290923 +0200 @@ -32,6 +32,7 @@ Patch1: libxslt-config-fixes.patch Patch2: 0009-Make-generate-id-deterministic.patch Patch3: libxslt-CVE-2016-4738.patch +Patch4: libxslt-random-seed.patch BuildRequires: libgcrypt-devel BuildRequires: libgpg-error-devel BuildRequires: libtool @@ -101,6 +102,7 @@ %patch1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build autoreconf -fvi ++++++ libxslt-random-seed.patch ++++++ commit 047a0fd99e64c554c4edf44cc67ee765b09af017 Author: Marcus Meissner <[email protected]> Date: Tue Apr 4 16:27:39 2017 +0200 initialize the random seed diff --git a/libexslt/math.c b/libexslt/math.c index 6b24dbe0..b7a8d6e1 100644 --- a/libexslt/math.c +++ b/libexslt/math.c @@ -23,6 +23,14 @@ #ifdef HAVE_STDLIB_H #include <stdlib.h> #endif +#ifdef HAVE_UNISTD_H +#include <unistd.h> +#endif +#include <fcntl.h> +#ifdef HAVE_TIME_H +#include <time.h> +#endif + #include "exslt.h" @@ -474,6 +482,20 @@ static double exsltMathRandom (void) { double ret; int num; + long seed; + static int randinit = 0; + + if (!randinit) { + int fd = open("/dev/urandom",O_RDONLY); + + seed = time(NULL); /* just in case /dev/urandom is not there */ + if (fd != -1) { + read (fd, &seed, sizeof(seed)); + close (fd); + } + srand(seed); + randinit = 1; + } num = rand(); ret = (double)num / (double)RAND_MAX;
