pwgen includes capital Os when generating non-ambiguous passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pwgen (Debian) |
Fix Released
|
Unknown
|
|||
pwgen (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: pwgen
If you generate non-ambiguous passwords with pwgen by passing it the -B argument capital letter Os is not prevented. For example this:
$ pwgen -B 8 1
Ies7Onga
should never happen, but it does. (I didn't make up that output I copied it from konsole)
In the code letters are generated (during this step they are checked against the ambiguous character list). In the next step some characters are "uppercased". So a small o (which is fine) gets converted to a large O, but no second check happens so large Os can slip through. I believe I've fixed the problem, and have included a patch.
Thank you.
Details:
Description: Ubuntu 10.04.1 LTS
Release: 10.04
pwgen:
Installed: 2.06-1ubuntu2
Candidate: 2.06-1ubuntu2
Version table:
*** 2.06-1ubuntu2 0
500 http://
100 /var/lib/
Related branches
Changed in pwgen (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
tags: | added: patch |
Changed in pwgen (Debian): | |
status: | Unknown → New |
Changed in pwgen (Debian): | |
status: | New → Fix Released |
This bug was fixed in the package pwgen - 2.07-1ubuntu1
---------------
pwgen (2.07-1ubuntu1) vivid; urgency=medium
* Resynchronise with Debian (LP: #1183213, #638418, #1349863). Remaining
changes:
- Fix pwgen -s so it works after other options.
- Use correct compiler when cross-building.
- Mark pwgen Multi-Arch: foreign.
pwgen (2.07-1) unstable; urgency=high
* New upstream version
* Remove backwards compatibility for no-tty mode. Addresses
CVE-2013-4440 (Closes: #725507)
* Fail hard if /dev/urandom and /dev/random are not available.
Addresses CVE-2013-4442 and Launchpad #1183213 (Closes: #767008)
* Fix pwgen -B so that it doesn't accidentally generate passwords with
ambiguous characters after changing the case of some letters.
Addresses Launchpad Bugs #638418 and #1349863
* Fix potential portability bug on architectures where unsgined ints
are not 4 bytes long
* Update Debian policy compliance to 3.9.6.0
* Build with Debian hardening using dpkg-buildflags
-- Colin Watson <email address hidden> Tue, 11 Nov 2014 13:11:19 +0000