Standard random number generators (using shuffle ) should not be used to generate randomness
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Medium
|
Ivan Kolodyazhny |
Bug Description
In cinder code : /cinder/utils.py . Below two lines of code used shuffle to generate a random number, Standard random number generators should not be used to generate randomness used for security reasons. Could we use a crytographic randomness generator to provide sufficient entropy to instead of it?
# If length < len(symbolgroups), the leading characters will only
# be from the first length groups. Try our best to not be predictable
# by shuffling and then truncating.
r.shuffle(
password = password[:length]
length -= len(password)
# finally shuffle to ensure first x characters aren't from a
# predictable group
r.shuffle(password) ----------------> This line of code has described issue.
return ''.join(password)
information type: | Private Security → Public |
description: | updated |
summary: |
- Standard random number generators should not be used to generate - randomness + Standard random number generators (using shuffle ) should not be used + to generate randomness |
Changed in cinder: | |
importance: | Undecided → Medium |
milestone: | none → juno-1 |
status: | New → Triaged |
information type: | Public → Public Security |
Changed in cinder: | |
milestone: | juno-1 → juno-2 |
Changed in cinder: | |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | juno-2 → 2014.2 |
Cinder devs: could you comment on how much those "random" numbers are used in a security context ? We need to determine is this would be a welcome strengthening (no advisory published) or an exploitable vulnerability (advisory published).