'[oss-security] RESEND: CVE Request: pwgen'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] RESEND: CVE Request: pwgen
From:       Michael Samuel <mik () miknet ! net>
Date:       2013-09-26 1:11:59
Message-ID: CACYkhxgNy0tCbWPih+4_cJnQ8GoV-uAFaCTQok1bQ+fbiARVPw () mail ! gmail ! com
[Download RAW message or body]


Hi,

No CVEs have been assigned for this, and as far as I can tell no
distributions have patched.

On 6 June 2013 14:19, Michael Samuel <mik@miknet.net> wrote:

> I've done some further analysis of the program after reading the previous
> thread, and I think there needs to be CVEs and fixes for:
>
> - When used from a non-tty passwords are trivially weak by default (first
> reported by Solar Designer)
> - Phonemes mode has heavy bias and is enabled by default (first reported
> by Solar Designer)
> - Silent fallback to insecure entropy (first reported by Jean-Michel
> Vourg=E8re) (Debian bug #672241 - tagged as "wishlist")
> - Secure mode has bias towards numbers and uppercase letters
>
> I've attached a patch that fixes most issues - it doesn't solve the bias
> towards numbers, because it's caused by requiring at-least one number per
> password - so in an 8 character password there'd have to be 0.1 numbers t=
o
> avoid bias.  There's an argument to be made for removing the at-least-one
> rule, but if the system that password is being used with has those rules,
> it doesn't fix the problem anyway.  Perhaps a separate flag for that?
>
> The changes are:
>
> - Print a message and abort() of there's trouble opening or reading
> /dev/urandom (So apport should pick up any packages that have been using
> insecure entropy)
> - Make "-s" the default
> - Add an argument --insecure-phonemes (or -P)
> - Non-tty passwords are now as secure as tty
> - Require lower-case characters be present to even out some bias
> - Pull in passwdqc as a Suggests on the debian package - pwqgen can
> generate sane random passphrases
>
> I can't imagine any reasonable use-case for the non-tty defaults (except
> maybe combining with espeak as an enhanced interrogation technique), and
> you can be certain that there's some people out there with it embedded in=
 a
> script that's generating useless passwords.
>
> For phonemes mode in general, the bias is extreme, there are a limited
> number of possible combinations and it is generally not suitable for
> security purposes.  I have some fairly detailed analysis of it, but I
> believe this list has a no-exploits policy...
>
> Regards,
>   Michael
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic