Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACYkhxiNS=qbNLwxpQCzFUDtmzniFP1gJ=PJO5MtHAA09e5-+g@mail.gmail.com>
Date: Fri, 11 Oct 2013 09:28:26 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com, security@...ian.org
Subject: Re: RESEND: CVE Request: pwgen

On 11 October 2013 00:35, Marcus Meissner <meissner@...e.de> wrote:
> (CVE worthyness:
> It does not fully meet the security expectations of generating
> a non-weak password by default....
> )

"Exploiting in the wild" isn't what I do, but it wouldn't be hard to
weed out some pwgen passwords from public dumps simply by doing:
pwgen -cn 8 1000000000 | john --stdin pwfile

I have a program that tries to mimic the internal state and generate
in order of probability, but it still needs some tuning.  There will
be a couple of slides on pwgen at my Ruxcon talk too.

For distros not wanting to ship an insecure program, see
https://github.com/therealmik/pwgen/compare/securityfixes

I think somebody at Debian needs to do an NMU, since the maintainer is
still not responding.

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.