Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 18 Oct 2013 12:28:18 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: RESEND: CVE Request: pwgen

On 16 October 2013 16:59, Kurt Seifried <kseifried@...hat.com> wrote:
> CVE-2013-4443 pwgen Secure mode has bias towards numbers and uppercase
> letters

Solar Designer picked up that this one should probably not have been assigned.

The problem wasn't normal bias - it was that it was enforcing
"password rules" requiring at-least one uppercase and number, but not
lowercase (which was a normal bug).  So the "fix" would technically
make the keyspace smaller.

I added the -R / --no-rules flag to my branch which removes
enforcement altogether, the full diff from 2.06 can be viewed here:
https://github.com/therealmik/pwgen/compare/securityfixes

Before using this flag, you should consider the minor negative effects
on the keyspace vs. generating passwords which might be "accidentally"
cracked while looking for simpler passwords.  Either way, generating a
longer password has a far better effect on security.

It is not my intent to maintain this package long-term.  If anyone is
interested, please fork and push NMUs to Debian.

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.