Ubuntu
pwgen package

pwgen does not not honour -B when output is a terminal

Bug #1349863 reported by Paul Gear
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
pwgen (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The pwgen man page states:
       -B, --ambiguous
              Don't use characters that could be confused by the user when printed, such as 'l' and
              '1', or '0' or 'O'. This reduces the number of possible passwords significantly, and as
              such reduces the quality of the passwords. It may be useful for users who have bad
              vision, but in general use of this option is not recommended.

This behaviour is not honoured in all runs where output is a terminal. e.g.:

$ pwgen -B 8 8
Oy7iezuy toh7nieT JoBei3Oh hi4zaX9a bi4iegaY egh7Aiji Eez9icei noh7Po4e
$ pwgen -B 8 8|cat
aihaejoo
eebieshu
aotaekub
uniegahp
uotheboh
weighoon
reunguda
onaemeiw

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: pwgen 2.06-1ubuntu4
ProcVersionSignature: Ubuntu 3.13.0-32.57-generic 3.13.11.4
Uname: Linux 3.13.0-32-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jul 30 00:11:44 2014
Dependencies:
 gcc-4.9-base 4.9-20140406-0ubuntu1
 libc6 2.19-0ubuntu6
 libgcc1 1:4.9-20140406-0ubuntu1
 multiarch-support 2.19-0ubuntu6
SourcePackage: pwgen
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

lp:ubuntu/vivid/pwgen

CVE References

Revision history for this message
Paul Gear (paulgear) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pwgen (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pwgen - 2.07-1ubuntu1

---------------
pwgen (2.07-1ubuntu1) vivid; urgency=medium

  * Resynchronise with Debian (LP: #1183213, #638418, #1349863). Remaining
    changes:
    - Fix pwgen -s so it works after other options.
    - Use correct compiler when cross-building.
    - Mark pwgen Multi-Arch: foreign.

pwgen (2.07-1) unstable; urgency=high

  * New upstream version
  * Remove backwards compatibility for no-tty mode. Addresses
    CVE-2013-4440 (Closes: #725507)
  * Fail hard if /dev/urandom and /dev/random are not available.
    Addresses CVE-2013-4442 and Launchpad #1183213 (Closes: #767008)
  * Fix pwgen -B so that it doesn't accidentally generate passwords with
    ambiguous characters after changing the case of some letters.
    Addresses Launchpad Bugs #638418 and #1349863
  * Fix potential portability bug on architectures where unsgined ints
    are not 4 bytes long
  * Update Debian policy compliance to 3.9.6.0
  * Build with Debian hardening using dpkg-buildflags
 -- Colin Watson <email address hidden> Tue, 11 Nov 2014 13:11:19 +0000

Changed in pwgen (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.