tag 651510 security thanks On lun., 2012-01-16 at 11:30 +0100, Michael Stummvoll wrote: > Hi, > > last month I filed the bug #651510 against gpw. Short version of this bug: Hi, sorry for the delay. > > gpw is a password generator util. The user provides the length of > password and gpw generates one or some with this. > The bug brings gpw to generate shorter passwords then provided in some > cases. > This case is very seldom: > in ~20 out of 1 mio, the password is shorter then provided - for an > provided length on 10. > and in ~5-10 out of 1 mio, the password is only 3 chars long (should be > independ of provided length) > > This rate should'nt affect an normal user I think. But e.g. if used in a > script for automaticly generation of logins, that could be security > relevant if a 3-char-password is assumed as a secure password. Agreed, the manpage is pretty specific about that, the passwords are supposed to be of the specified length. > > However, this case looks very constructed to me. > I hoped for a response from maintainer to get a clear point if he see > this bug as security-bug, but since i filed it a month ago, nothing > happened, and i am still not sure about the servity of this bug. To me that's definitely a security issue, though I'm not sure how much people use gpw in a script (or gpw at all). > > Now, i am thinking about to retag it to security, but therefore I want > to obtain some opinions here. That'd be a start, but note that gpw doesn't look like the most maintained piece of software. Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part