Re: Bug#651510: #651510 (gpw) - Not sure if security bug

To: Yves-Alexis Perez <corsac@debian.org>, 651510@bugs.debian.org
Cc: Michael Stummvoll <michael@stummi.org>, debian-security@lists.debian.org
Subject: Re: Bug#651510: #651510 (gpw) - Not sure if security bug
From: "Francesco P. Lovergine" <frankie@debian.org>
Date: Tue, 17 Jan 2012 10:03:11 +0100
Message-id: <20120117090310.GA2589@mithrandir>
Mail-followup-to: Yves-Alexis Perez <corsac@debian.org>, 651510@bugs.debian.org, Michael Stummvoll <michael@stummi.org>, debian-security@lists.debian.org
In-reply-to: <1326782288.4782.65.camel@scapa>
References: <4F13FC42.1030404@stummi.org> <1326782288.4782.65.camel@scapa>

On Tue, Jan 17, 2012 at 07:38:08AM +0100, Yves-Alexis Perez wrote:
> tag 651510 security
> thanks
> On lun., 2012-01-16 at 11:30 +0100, Michael Stummvoll wrote:
> > Hi,
> > 
> > last month I filed the bug #651510 against gpw. Short version of this bug:
> 
> Hi, sorry for the delay.
> > 
> > gpw is a password generator util. The user provides the length of 
> > password and gpw generates one or some with this.
> > The bug brings gpw to generate shorter passwords then provided in some 
> > cases.
> > This case is very seldom:
> > in ~20 out of 1 mio, the password is shorter then provided - for an 
> > provided length on 10.
> > and in ~5-10 out of 1 mio, the password is only 3 chars long (should be 
> > independ of provided length)
> > 
> > This rate should'nt affect an normal user I think. But e.g. if used in a 
> > script for automaticly generation of logins, that could be security 
> > relevant if a 3-char-password is assumed as a secure password.
> 
> Agreed, the manpage is pretty specific about that, the passwords are
> supposed to be of the specified length.
> > 

Sorry, I did not receive the mail about that, maybe filtered out by
my multi-layer spam filters. That said, it is a bug. About security
I would note that an alphabetic only password should not be considered
safe enough. Gpw should be used in combination with some other randomizer
to obtain a semi-pronounceable password. 
So I consider that bug from minor to neglectable at the security level.
Gpw can be considered safe enough in some contexts, but not in general.
And that's true independently on this bug.

> > However, this case looks very constructed to me.
> > I hoped for a response from maintainer to get a clear point if he see 
> > this bug as security-bug, but since i filed it a month ago, nothing 
> > happened, and i am still not sure about the servity of this bug.
> 
> To me that's definitely a security issue, though I'm not sure how much
> people use gpw in a script (or gpw at all).
> > 
> > Now, i am thinking about to retag it to security, but therefore I want 
> > to obtain some opinions here.
> 
> That'd be a start, but note that gpw doesn't look like the most
> maintained piece of software.
> 

That's sure but as for a lot of softwares, it is useful enough 
for some goals.

-- 
Francesco P. Lovergine

Reply to:

References:
- #651510 (gpw) - Not sure if security bug
  - From: Michael Stummvoll <michael@stummi.org>
- Re: #651510 (gpw) - Not sure if security bug
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Re: #651510 (gpw) - Not sure if security bug
Next by Date: Testers needed for Tomcat security update
Previous by thread: Re: #651510 (gpw) - Not sure if security bug
Next by thread: Testers needed for Tomcat security update
Index(es):
- Date
- Thread