oss-sec mailing list archives
Re: RESEND: CVE Request: pwgen
From: Marcus Meissner <meissner () suse de>
Date: Thu, 10 Oct 2013 15:35:09 +0200
Hi, It might just not be that CVE worthy. But I saw no replies... (CVE worthyness: It does not fully meet the security expectations of generating a non-weak password by default.... ) Solar? Kurt? CIao, Marcus On Thu, Sep 26, 2013 at 11:11:59AM +1000, Michael Samuel wrote:
Hi, No CVEs have been assigned for this, and as far as I can tell no distributions have patched. On 6 June 2013 14:19, Michael Samuel <mik () miknet net> wrote:I've done some further analysis of the program after reading the previous thread, and I think there needs to be CVEs and fixes for: - When used from a non-tty passwords are trivially weak by default (first reported by Solar Designer) - Phonemes mode has heavy bias and is enabled by default (first reported by Solar Designer) - Silent fallback to insecure entropy (first reported by Jean-Michel Vourgère) (Debian bug #672241 - tagged as "wishlist") - Secure mode has bias towards numbers and uppercase letters I've attached a patch that fixes most issues - it doesn't solve the bias towards numbers, because it's caused by requiring at-least one number per password - so in an 8 character password there'd have to be 0.1 numbers to avoid bias. There's an argument to be made for removing the at-least-one rule, but if the system that password is being used with has those rules, it doesn't fix the problem anyway. Perhaps a separate flag for that? The changes are: - Print a message and abort() of there's trouble opening or reading /dev/urandom (So apport should pick up any packages that have been using insecure entropy) - Make "-s" the default - Add an argument --insecure-phonemes (or -P) - Non-tty passwords are now as secure as tty - Require lower-case characters be present to even out some bias - Pull in passwdqc as a Suggests on the debian package - pwqgen can generate sane random passphrases I can't imagine any reasonable use-case for the non-tty defaults (except maybe combining with espeak as an enhanced interrogation technique), and you can be certain that there's some people out there with it embedded in a script that's generating useless passwords. For phonemes mode in general, the bias is extreme, there are a limited number of possible combinations and it is generally not suitable for security purposes. I have some fairly detailed analysis of it, but I believe this list has a no-exploits policy... Regards, Michael
Current thread:
- Re: RESEND: CVE Request: pwgen Marcus Meissner (Oct 10)
- Re: RESEND: CVE Request: pwgen Michael Samuel (Oct 10)
- Re: RESEND: CVE Request: pwgen Solar Designer (Oct 11)
- Re: RESEND: CVE Request: pwgen Kurt Seifried (Oct 15)
- Re: RESEND: CVE Request: pwgen Michael Samuel (Oct 17)
- Re: RESEND: CVE Request: pwgen Solar Designer (Oct 22)
- Re: RESEND: CVE Request: pwgen Michael Samuel (Oct 22)
- Re: RESEND: CVE Request: pwgen Kurt Seifried (Oct 22)
- Re: RESEND: CVE Request: pwgen Kurt Seifried (Oct 15)