oss-sec mailing list archives
Re: RESEND: CVE Request: pwgen
From: Michael Samuel <mik () miknet net>
Date: Fri, 11 Oct 2013 09:28:26 +1100
On 11 October 2013 00:35, Marcus Meissner <meissner () suse de> wrote:
(CVE worthyness: It does not fully meet the security expectations of generating a non-weak password by default.... )
"Exploiting in the wild" isn't what I do, but it wouldn't be hard to weed out some pwgen passwords from public dumps simply by doing: pwgen -cn 8 1000000000 | john --stdin pwfile I have a program that tries to mimic the internal state and generate in order of probability, but it still needs some tuning. There will be a couple of slides on pwgen at my Ruxcon talk too. For distros not wanting to ship an insecure program, see https://github.com/therealmik/pwgen/compare/securityfixes I think somebody at Debian needs to do an NMU, since the maintainer is still not responding. Regards, Michael
Current thread:
- Re: RESEND: CVE Request: pwgen Marcus Meissner (Oct 10)
- Re: RESEND: CVE Request: pwgen Michael Samuel (Oct 10)
- Re: RESEND: CVE Request: pwgen Solar Designer (Oct 11)
- Re: RESEND: CVE Request: pwgen Kurt Seifried (Oct 15)
- Re: RESEND: CVE Request: pwgen Michael Samuel (Oct 17)
- Re: RESEND: CVE Request: pwgen Solar Designer (Oct 22)
- Re: RESEND: CVE Request: pwgen Michael Samuel (Oct 22)
- Re: RESEND: CVE Request: pwgen Kurt Seifried (Oct 22)
- Re: RESEND: CVE Request: pwgen Kurt Seifried (Oct 15)