It looks like this bug does mischaracterize CVE-2013-4442. Unlike what's said here, using /dev/urandom instead of /dev/random (which contrary to popular wisdom is not an issue) but that, if opening of these two devices fail, pwgen falls back to using pids and time.
On BSD and Linux/GNU, /dev/urandom is guaranteed so this might trigger if: * someone exhausts the system-wide descriptor limit * a chroot lacks the /dev entries * the admin writes a pathologically bad selinux policy Let's track this as a separate bug. I'd say that this is only a minor vulnerability, thus let's have it at "important" severity. pwgen has at least one RC issue, so it wouldn't be bad to fix for jessie but I don't find it as a must. -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable and Non-Discriminatory prices. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
