[Secure-testing-team] Bug#726578: pwgen: Multiple vulnerabilities in passwords generation
Yves-Alexis Perez
corsac at debian.org
Wed Oct 16 20:03:35 UTC 2013
Package: pwgen
Severity: grave
Tags: security
Justification: user security hole
Hi Theodore,
multiple CVEs were just assigned to pwgen, following the analysis by
Solar Designer and other people (see thread at
http://marc.info/?l=oss-security&m=138015793928431&w=2)
CVE-2013-4440 non-tty passwords are trivially weak by default
CVE-2013-4441 Phonemes mode has heavy bias and is enabled by default
CVE-2013-4442 Silent fallback to insecure entropy
CVE-2013-4443 Secure mode has bias towards numbers and uppercase letters
I'm not too sure how to handle that, especially for stable releases,
since it seems major refactoring might be needed to get rid of the
weaknesses and bias.
Regards,
--
Yves-Alexis Perez
Debian Security
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list