Your message dated Mon, 22 Feb 2010 00:47:34 +0000
with message-id <e1njmsu-0006gu...@ries.debian.org>
and subject line Bug#564559: fixed in makepasswd 1.10-5
has caused the Debian Bug report #564559,
regarding makepasswd: Default settings generate insecure passwords
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
564559: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564559
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: makepasswd
Version: 1.10-4
Severity: critical
Tags: security
Justification: root security hole
By default makepasswd gets 32-bit random seed from /dev/urandom, initializes
Perl random numbers generator with it using srand function and then generates
password length and password chars using rand function that is not cryptographic
secure and absolutely predictable by initial seed that is only 32 bit strength.
Default settings for makepasswd is password length from 8 to 10 characters
inclusive
and password consisting of characters A-Za-z0-9 (total 62) so theoreticaly it is
possible to create 62^8+62^9+62^10 = 8.5e17 passwords in default mode. Actually
I think that security in this case better estimated by 62^8 = 2.1e14 because
all lengths have equal probability.
But because rand function depends completely on srand seed the amount of
possible
passwords lowered from 8.5e17 or 2.1e14 to just 2^32 = 4.2e9. So any root user
(hence "root security hole" justification) that uses password generated by
makepasswd package is vulnerable to brute force attack. 4 billions paswords
brute
force attack is quite possible.
The best solution of the issue I've found is using --rerandom=1 command line
switch
that initializes srand with cryptographic secure /dev/urandom value before each
rand
function call.
-- System Information:
Debian Release: squeeze/sid
APT prefers stable
APT policy: (900, 'stable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages makepasswd depends on:
ii libcrypt-passwdmd5-perl 1.3-9 interoperable MD5-based crypt() fo
ii perl 5.10.1-8 Larry Wall's Practical Extraction
makepasswd recommends no packages.
makepasswd suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: makepasswd
Source-Version: 1.10-5
We believe that the bug you reported is fixed in the latest version of
makepasswd, which is due to be installed in the Debian FTP archive:
makepasswd_1.10-5.diff.gz
to main/m/makepasswd/makepasswd_1.10-5.diff.gz
makepasswd_1.10-5.dsc
to main/m/makepasswd/makepasswd_1.10-5.dsc
makepasswd_1.10-5_all.deb
to main/m/makepasswd/makepasswd_1.10-5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 564...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwat...@debian.org> (supplier of updated makepasswd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 22 Feb 2010 00:39:50 +0000
Source: makepasswd
Binary: makepasswd
Architecture: source all
Version: 1.10-5
Distribution: unstable
Urgency: low
Maintainer: Colin Watson <cjwat...@debian.org>
Changed-By: Colin Watson <cjwat...@debian.org>
Description:
makepasswd - Generate and encrypt passwords
Closes: 564559
Changes:
makepasswd (1.10-5) unstable; urgency=low
.
* Imported into a branch on bzr.debian.org; add Vcs-Bzr and Vcs-Browser
control fields.
* Use OpenSSL's random number generator, seeded with 256 bits of entropy
from /dev/urandom (closes: #564559).
Checksums-Sha1:
a0440afe2cb324aeaf2050fc1527eba59a6b7c7b 1158 makepasswd_1.10-5.dsc
88c63cce68102ffcf929708d1ef66c4501189b75 7506 makepasswd_1.10-5.diff.gz
173712b2dd0fe571a653cb9158991cdabb923703 12192 makepasswd_1.10-5_all.deb
Checksums-Sha256:
025bd38aee3ee28b034e8083b05c93ffb58b442871958281e8045221eb93d8d4 1158
makepasswd_1.10-5.dsc
b1c039090ad4f60be9f8fe05465b37c32ee20245b14fcd0708a93f78f1392097 7506
makepasswd_1.10-5.diff.gz
2cfb3758a7bd3dc863ec83a2ce71f3bb43edec4a7a4ed645220fb06f573d749f 12192
makepasswd_1.10-5_all.deb
Files:
4db062ddcde3321c0a94d2934bf828b5 1158 admin optional makepasswd_1.10-5.dsc
385062fc5d8c4a246d924f3f10418049 7506 admin optional makepasswd_1.10-5.diff.gz
e133cf9949502f0ff50e0f951d1c0aa6 12192 admin optional makepasswd_1.10-5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Colin Watson <cjwat...@debian.org> -- Debian developer
iD8DBQFLgdL39t0zAhD6TNERAloQAJ4lOSBdCtYclxMdg/gGqhPtEZ5y2QCfcXsA
iFxhEZFriXlacD6ux1fDZsw=
=FqDT
-----END PGP SIGNATURE-----
--- End Message ---
