From 7985df37681f54d013816a4641da4f9b085b3aa5 Mon Sep 17 00:00:00 2001
From: Nick Craig-Wood <nick@craig-wood.com>
Date: Wed, 18 Nov 2020 12:03:01 +0000
Subject: [PATCH] random: fix incorrect use of math/rand instead of crypto/rand
 CVE-2020-28924

For implications see the linked issue.

Fixes #4783
---
 lib/random/random.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/random/random.go b/lib/random/random.go
index 7da76f9e2..5d6f4d6b0 100644
--- a/lib/random/random.go
+++ b/lib/random/random.go
@@ -2,8 +2,9 @@
 package random
 
 import (
+	cryptorand "crypto/rand"
 	"encoding/base64"
-	"math/rand"
+	mathrand "math/rand"
 
 	"github.com/pkg/errors"
 )
@@ -23,7 +24,7 @@ func String(n int) string {
 	for i := range out {
 		source := pattern[p]
 		p = (p + 1) % len(pattern)
-		out[i] = source[rand.Intn(len(source))]
+		out[i] = source[mathrand.Intn(len(source))]
 	}
 	return string(out)
 }
@@ -41,7 +42,7 @@ func Password(bits int) (password string, err error) {
 		bytes++
 	}
 	var pw = make([]byte, bytes)
-	n, err := rand.Read(pw)
+	n, err := cryptorand.Read(pw)
 	if err != nil {
 		return "", errors.Wrap(err, "password read failed")
 	}