Does not generate random passwords

Bug #237251 reported by Ingo Ruhnke on 2008-06-04
Affects Status Importance Assigned to Milestone
makepasswd (Ubuntu)
Colin Watson

Bug Description

Binary package hint: makepasswd

makepasswd doesn't use /dev/random to generate the password as the description claims, but only uses /dev/random to generate a 32bit seed for the insecure srand/rand functions. This limits it to a pool of just 2**32 possible passwords which is much less the it should be able to produce given the default length of 6-8 characters (which also sounds rather short) out of a collection of 58.

CVE References

Ingo Ruhnke (grumbel) wrote :

Ubuntu 8.04
makepasswd: 1.10-3

Henrik Holst (millihenrik) wrote :

I have noticed the very same and have created a patch that solves it, I have sent the patch up to mainline as well.

Henrik Holst (millihenrik) wrote :

Please ignore my previous comment, I had this confused with a C program with the exact same name (makepasswd) that had the exact same bug :-|

Kees Cook (kees) on 2009-01-24
Changed in makepasswd:
status: New → Confirmed
Colin Watson (cjwatson) wrote :

Fixed some time back. Sorry I didn't notice this report.

makepasswd (1.10-5) unstable; urgency=low

  * Imported into a branch on; add Vcs-Bzr and Vcs-Browser
    control fields.
  * Use OpenSSL's random number generator, seeded with 256 bits of entropy
    from /dev/urandom (CVE-2010-2247; closes: #564559).

 -- Colin Watson <email address hidden> Mon, 22 Feb 2010 00:39:50 +0000

Changed in makepasswd (Ubuntu):
assignee: nobody → Colin Watson (cjwatson)
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers