Source: zoneminder
Version: 1.29.0+dfsg-2
Severity: wishlist
Tags: patch security
User: reproducible-builds@lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Hi,

Whilst working on the "reproducible builds" effort [0], we noticed
that zoneminder could not be built reproducibly.

This is because the random seeds are generated a build time, meaning
that all zoneminder instances--on each architecture--share the same
secret key. Is this a security issue? Tagging as such; please untag
if not.

Patch attached that generates these at installation time.

 [0] https://wiki.debian.org/ReproducibleBuilds


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-
--- a/debian/patches/reproducible_build.patch   1970-01-01 02:00:00.000000000 
+0200
--- b/debian/patches/reproducible_build.patch   2016-07-13 15:44:01.209534314 
+0200
@@ -0,0 +1,17 @@
+--- zoneminder-1.29.0+dfsg.orig/web/api/app/Config/core.php.default
++++ zoneminder-1.29.0+dfsg/web/api/app/Config/core.php.default
+@@ -223,12 +223,12 @@
+ /**
+  * A random string used in security hashing methods.
+  */
+-      Configure::write('Security.salt', '@ZM_API_SALT@');
++      Configure::write('Security.salt', '__ZM_API_SALT__');
+ 
+ /**
+  * A random numeric string (digits only) used to encrypt/decrypt strings.
+  */
+-      Configure::write('Security.cipherSeed', '@ZM_API_SEED@');
++      Configure::write('Security.cipherSeed', '__ZM_API_SEED__');
+ 
+ /**
+  * Apply timestamps with the last modified time to static assets (js, css, 
images).
--- a/debian/patches/series     2016-07-13 15:14:24.019364798 +0200
--- b/debian/patches/series     2016-07-13 15:43:51.469404943 +0200
@@ -9,3 +9,4 @@
 docs.patch
 spelling-corrections.patch
 use_libjs-mootools.patch
+reproducible_build.patch
--- a/debian/zoneminder.postinst        2016-07-13 15:14:24.019364798 +0200
--- b/debian/zoneminder.postinst        2016-07-13 15:43:22.441019824 +0200
@@ -2,12 +2,21 @@
 
 set -e
 
+Generate_random () {
+       tr -dc $1 < /dev/urandom | head -c $2
+}
+
 if [ "$1" = "configure" ]; then
                chown www-data:root /var/log/zm
                chown www-data:www-data /var/lib/zm
                if [ -z "$2" ]; then
                        chown www-data:www-data -R /var/cache/zoneminder
                fi
+
+               sed -i \
+                       -e "s@__ZM_API_SALT__@$(Generate_random A-Za-z0-9 
29)@g" \
+                       -e "s@__ZM_API_SEED__@$(Generate_random 0-9 40)@g" \
+                       /usr/share/zoneminder/www/api/app/Config/core.php
 fi
 
 #DEBHELPER#
_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to