Hello Luis, in the light of this forwarded message, do you think the attached patch (quite obvious) might be justified? If so, do you think you are going to fix this issue in a new release, or would you rather like to see me ship a patched Debian revision (which means no problem to me at all)?
Cheers, Flo - Debian maintainer of Crypt::PasswdMD5 ----- Forwarded message from Eric Lammerts <[EMAIL PROTECTED]> ----- From: Eric Lammerts <[EMAIL PROTECTED]> Subject: Bug#306293: minor error in salt generation To: [EMAIL PROTECTED] Reply-To: Eric Lammerts <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Date: Mon, 25 Apr 2005 11:16:01 -0400 Message-ID: <[EMAIL PROTECTED]> User-Agent: Mozilla Thunderbird 1.0 (X11/20041206) Package: libcrypt-passwdmd5-perl Version: 1.3-4 Severity: minor Hi, I noticed that when you let Crypt::PasswdMD5 generate its own salt, it only uses 63 values out of 64: $itoa64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; ... $salt .= substr($itoa64,int(rand(64)+1),1) while length($salt) < 8; The int(rand(64)+1) returns 1..64, so "." is never used, and one out of 64 times an empty string is appended. Because of the loop we'll still have 8 bytes, so it's a not a big deal (total of 8*log(63)/log(2) = 47.8 bits of randomness instead of 48) Eric ----- End forwarded message -----
--- PasswdMD5.pm 2004-02-17 12:21:38.000000000 +0100
+++ PasswdMD5.pm.new 2005-04-27 00:55:45.000000000 +0200
@@ -95,7 +95,7 @@
}
else {
$salt = ''; # in case no salt was proffered
- $salt .= substr($itoa64,int(rand(64)+1),1)
+ $salt .= substr($itoa64,int(rand(64)),1)
while length($salt) < 8;
}
signature.asc
Description: Digital signature
