path: root/
diff options
authorMax Kanat-Alexander <>2011-01-24 22:43:38 +0100
committerMax Kanat-Alexander <>2011-01-24 22:43:38 +0100
commit95b919c0b6b731d16e92dd748e654cefeba0bd32 (patch)
tree254f2da4d90de25ae6700464f5e6705f8be8a98e /
parentad1e3aef99b806d7f4a5bd18aa0c8cc6102f62e6 (diff)
Bug 619594: (CVE-2010-4568) [SECURITY] Improve the randomness of
generate_random_password, to protect against an account compromise issue and other critical vulnerabilities. r=LpSolit, a=LpSolit
Diffstat (limited to '')
1 files changed, 7 insertions, 2 deletions
diff --git a/ b/
index 3551abdaf..0c7caf173 100644
--- a/
+++ b/
@@ -37,6 +37,7 @@ use lib Bugzilla::Constants::bz_locations()->{'ext_libpath'};
use Apache2::ServerUtil;
use ModPerl::RegistryLoader ();
use File::Basename ();
+use Math::Random::Secure;
# This loads most of our modules.
use Bugzilla ();
@@ -60,8 +61,12 @@ my $cgi_path = Bugzilla::Constants::bz_locations()->{'cgi_path'};
# Set up the configuration for the web server
my $server = Apache2::ServerUtil->server;
my $conf = <<EOT;
-# Make sure each httpd child receives a different random seed (bug 476622)
-PerlChildInitHandler "sub { srand(); }"
+# Make sure each httpd child receives a different random seed (bug 476622).
+# Math::Random::Secure has one srand that needs to be called for
+# every process, and Perl has another. (Various Perl modules still use
+# the built-in rand(), even though we only use Math::Random::Secure in
+# Bugzilla itself, so we need to srand() both of them.)
+PerlChildInitHandler "sub { Math::Random::Secure::srand(); srand(); }"
<Directory "$cgi_path">
AddHandler perl-script .cgi
# No need to PerlModule these because they're already defined in