Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: gpw password generator giving short password at low rate
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 17 Jan 2012 14:23:09 -0700

On 01/17/2012 02:24 AM, Yves-Alexis Perez wrote:
On mar., 2012-01-17 at 11:17 +0200, Henri Salo wrote:
On Tue, Jan 17, 2012 at 09:51:05AM +0100, Yves-Alexis Perez wrote:
we were pointed at a bug in gpw (a password generator), which makes it
generate shorter password than required at a rate of ~20 over 1 million.
The bug is at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651510
(so already public) and I'm wondering if that deserves a CVE:

* gpw seems unmaintained (upstream and in Debian since around 2006)
* I'm not sure people even use it
* people using it interactively will notice the password has the wrong
size

But as it may be used in a script, then it might still be a real issue.

What do people think?
I think this is security issue and should receive CVE. Is this program
used in other distributions we could notify? Has this been fixed in
other versions?

Not that I know of (but I didn't know anything about gpw before reading
that bug report). It should be present in Debian derivatives, at least.

Regards,
Please use CVE-2011-4931 for this issue.

-- 

-- Kurt Seifried / Red Hat Security Response Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]