Re: CVE request: python-pyrad insecurities

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/15/2013 04:53 PM, Vincent Danen wrote:
> * [2013-02-15 19:51:07 +0000] Christey, Steven M. wrote:
>
> > These two issues were fixed in the same diff and reflect poor 
> > randomness - should we have only assigned one CVE?  (If the
> > RADIUS feature was introduced in different versions than the 
> > authenticator-password feature, then maybe the SPLIT is
> > acceptable.)
>
> I'm not sure.  I didn't go digging to see when they were introduced
> -- both features may have been introduced at the same time (or
> not).
>
> Ok, so doing a quick peek at the first full blob of it in git:
>
> https://github.com/wichert/pyrad/blob/c206b1dfc362db8b0ef9c256814377bde8ed91cf/pyrad/packet.py
>
>
>
> The use of random.randrange() is in both the CreateAuthenticator()
> and CreateID() functions, so I would bet that they've been like
> that the whole time (that blob is from Sept 2007).  So I guess one
> CVE is probably sufficient.
>
> I only noted them as two issues as we had two separate bug reports
> about them.
>
> > -----Original Message----- From: Kurt Seifried
> > [mailto:kseifried () redhat com] Sent: Friday, February 15, 2013
> > 2:37 PM To: oss-security () lists openwall com Cc: Vincent Danen 
> > Subject: Re: [oss-security] CVE request: python-pyrad
> > insecurities
> On 02/15/2013 09:14 AM, Vincent Danen wrote:
> > > > Could a CVE be assigned to the following two issues please?
> > > >
> > > > #1: https://bugzilla.redhat.com/show_bug.cgi?id=911682
> > > >
> > > > Nathaniel McCallum of Red Hat reported that pyrad was using 
> > > > Python's random module in a number of places to generate 
> > > > pseudo-random data.  In the case of the authenticator data,
> > > > it was being used to secure a password sent over the wire.
> > > > Because Python's random module is not really suited for this
> > > > purpose (not random enough), it could lead to password
> > > > hashing that may be predictable.
>
> Please use CVE-2013-0294 for this issue.
>
>
> > > > #2: https://bugzilla.redhat.com/show_bug.cgi?id=911685
> > > >
> > > > Nathaniel McCallum of Red Hat reported that pyrad was
> > > > creating serialized RADIUS packet IDs in the CreateID()
> > > > function in packet.py. This is not suitable for RADIUS as the
> > > > RFC specifies that the ID must not be predictable.  As a
> > > > result, the ID of the next packet sent can be spoofed.
>
> Please use CVE-2013-0295 for this issue.

Please REJECT CVE-2013-0295 and use CVE-2013-0294 for both issues
(same code issue, same version, same reporter).


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRHyjlAAoJEBYNRVNeJnmT02YP/0IgeqytaZjW0ltY10te6RSu
osz/ZS6ZREPJha4WkV/Zy/TeEDQ3MbA5jvIZGHu95wn3j5LG9JkNh10ufqlOY/OF
vajvm/2ICqUI3onjhSk0tY1eV/3vxcfkHzZFG3ARaM/cU21Rj40AbX/DA8mKNX80
x7LI0999hGZeuDb+sYhKYCulSt041HbRcFQDpBPwZJcX46FFZusSA9xevP+iuQxG
oqDURPfxa4eM3BmUeSO4ONiTDLMVlkwHmnyUE+GOYEt7Jabh+VufH2z3HLaxUy6C
NWW5YJNdejBzUKjZnrdRBIPGaXG2Uo4JJKh3I8SKchhxqHp+zvIYWtmGVTtVP11P
jULoSoaevKpQqwqycFYopnGra/AY/wBBIPWLrhlbr2kcSOLuSCcMqpF5hrr1MAKT
c8oWGbBDkRUFJArDlzPk7sNvxAWtViYLPTMA2hKDGGgOYMNJ8NeWjFVks8zuJkEo
SuLZnUJ4Com4kNLsfvFXjlWrK6fwMCgn1s/2Iz4F2b/dt6f1ziSuTAxCU4/mxwQS
XSBipPV+YxM/qbYhBa8g+LoMCT88ukPqmUOFzLavL8vvkpQlrusnLj9ditbl9GPh
gjoaLbt8PVhPs24mZuTdgLaXuDHbK43QdSBBTLGUx5VaKeeNInmxWs/78y3oO837
Cf9LQDqUMcENF5L1s9jp
=fObK
-----END PGP SIGNATURE-----