Ubuntu
pwgen package

pwgen includes capital Os when generating non-ambiguous passwords

Bug #638418 reported by Brian Beck
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
pwgen (Debian)
Fix Released
Unknown
pwgen (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: pwgen

If you generate non-ambiguous passwords with pwgen by passing it the -B argument capital letter Os is not prevented. For example this:

$ pwgen -B 8 1
Ies7Onga

should never happen, but it does. (I didn't make up that output I copied it from konsole)

In the code letters are generated (during this step they are checked against the ambiguous character list). In the next step some characters are "uppercased". So a small o (which is fine) gets converted to a large O, but no second check happens so large Os can slip through. I believe I've fixed the problem, and have included a patch.

Thank you.

Details:
Description: Ubuntu 10.04.1 LTS
Release: 10.04

pwgen:
  Installed: 2.06-1ubuntu2
  Candidate: 2.06-1ubuntu2
  Version table:
 *** 2.06-1ubuntu2 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

Tags: patch

Related branches

lp:ubuntu/vivid/pwgen

CVE References

Revision history for this message
Brian Beck (brian-beck76) wrote :
Brian Murray (brian-murray)
Changed in pwgen (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
tags: added: patch
Bug Watch Updater (bug-watch-updater)
Changed in pwgen (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pwgen - 2.07-1ubuntu1

---------------
pwgen (2.07-1ubuntu1) vivid; urgency=medium

  * Resynchronise with Debian (LP: #1183213, #638418, #1349863). Remaining
    changes:
    - Fix pwgen -s so it works after other options.
    - Use correct compiler when cross-building.
    - Mark pwgen Multi-Arch: foreign.

pwgen (2.07-1) unstable; urgency=high

  * New upstream version
  * Remove backwards compatibility for no-tty mode. Addresses
    CVE-2013-4440 (Closes: #725507)
  * Fail hard if /dev/urandom and /dev/random are not available.
    Addresses CVE-2013-4442 and Launchpad #1183213 (Closes: #767008)
  * Fix pwgen -B so that it doesn't accidentally generate passwords with
    ambiguous characters after changing the case of some letters.
    Addresses Launchpad Bugs #638418 and #1349863
  * Fix potential portability bug on architectures where unsgined ints
    are not 4 bytes long
  * Update Debian policy compliance to 3.9.6.0
  * Build with Debian hardening using dpkg-buildflags
 -- Colin Watson <email address hidden> Tue, 11 Nov 2014 13:11:19 +0000

Changed in pwgen (Ubuntu):
status: Triaged → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in pwgen (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.