Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Jan 2012 10:24:16 +0100
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: gpw password generator giving short password at
 low rate

On mar., 2012-01-17 at 11:17 +0200, Henri Salo wrote:
> On Tue, Jan 17, 2012 at 09:51:05AM +0100, Yves-Alexis Perez wrote:
> > we were pointed at a bug in gpw (a password generator), which makes it
> > generate shorter password than required at a rate of ~20 over 1 million.
> > The bug is at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651510
> > (so already public) and I'm wondering if that deserves a CVE:
> > 
> > * gpw seems unmaintained (upstream and in Debian since around 2006)
> > * I'm not sure people even use it
> > * people using it interactively will notice the password has the wrong
> > size
> > 
> > But as it may be used in a script, then it might still be a real issue.
> > 
> > What do people think?
> 
> I think this is security issue and should receive CVE. Is this program
> used in other distributions we could notify? Has this been fixed in
> other versions?
> 
Not that I know of (but I didn't know anything about gpw before reading
that bug report). It should be present in Debian derivatives, at least.

Regards,
-- 
Yves-Alexis

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ