#651510 (gpw) - Not sure if security bug

To: debian-security@lists.debian.org
Subject: #651510 (gpw) - Not sure if security bug
From: Michael Stummvoll <michael@stummi.org>
Date: Mon, 16 Jan 2012 11:30:26 +0100
Message-id: <4F13FC42.1030404@stummi.org>

Hi,

last month I filed the bug #651510 against gpw. Short version of this bug:

gpw is a password generator util. The user provides the length ofpassword and gpw generates one or some with this.The bug brings gpw to generate shorter passwords then provided in somecases.

This case is very seldom:

in ~20 out of 1 mio, the password is shorter then provided - for anprovided length on 10.and in ~5-10 out of 1 mio, the password is only 3 chars long (should beindepend of provided length)

This rate should'nt affect an normal user I think. But e.g. if used in ascript for automaticly generation of logins, that could be securityrelevant if a 3-char-password is assumed as a secure password.


However, this case looks very constructed to me.

I hoped for a response from maintainer to get a clear point if he seethis bug as security-bug, but since i filed it a month ago, nothinghappened, and i am still not sure about the servity of this bug.

Now, i am thinking about to retag it to security, but therefore I wantto obtain some opinions here.


Thanks,
Michael Stummvoll

Reply to:

Follow-Ups:
- Re: #651510 (gpw) - Not sure if security bug
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: R: [SECURITY] [DSA 2389-1] linux-2.6 security update
Next by Date: Re: #651510 (gpw) - Not sure if security bug
Previous by thread: R: [SECURITY] [DSA 2389-1] linux-2.6 security update
Next by thread: Re: #651510 (gpw) - Not sure if security bug
Index(es):
- Date
- Thread