Weak session IDs generated CVE-2014-2875

[brianmay]

I don't actually see any bug reports open on this CVE, so I am creating a bug report here.

https://security-tracker.debian.org/tracker/CVE-2014-2875

As far as I can tell, the issue is still present in the latest git source.

I believe the vulnerable code itself is in
https://github.com/keplerproject/cgilua/blob/master/src/cgilua/session.lua
and is these bits:

 local RANGE = 999999999
 [...]
 randseed (mod (time(), RANGE))

 [...]

 local function new_id ()
   return rand (RANGE)
 end

I think it it probably safe to assume rand() doesn't meet the requirements for a session id. As in it generates numbers that are predictable.

I am not really familiar with how to generate an appropriate id, but I do notice there are some crypto libraries for LUA, e.g. https://github.com/philanc/plc

On the Debian mailing list, it was suggested "a more secure function is to simply read the value from /dev/urandom".

[brianmay]

I believe the following code on something similar - would fix this issue:

   local function new_id()
       local path = "/dev/urandom"
       local file = io.open(path, "rb")
       if not file then return nil end
       local content = file:read(16)
       content = basexx.to_hex(content)
       file:close()
       return content
   end

Note this requires basexx. It also might breaks the check_id() function which expects the session id be an integer.