Hi,
last month I filed the bug #651510 against gpw. Short version of this bug:
gpw is a password generator util. The user provides the length of
password and gpw generates one or some with this.
The bug brings gpw to generate shorter passwords then provided in some
cases.
This case is very seldom:
in ~20 out of 1 mio, the password is shorter then provided - for an
provided length on 10.
and in ~5-10 out of 1 mio, the password is only 3 chars long (should be
independ of provided length)
This rate should'nt affect an normal user I think. But e.g. if used in a
script for automaticly generation of logins, that could be security
relevant if a 3-char-password is assumed as a secure password.
However, this case looks very constructed to me.
I hoped for a response from maintainer to get a clear point if he see
this bug as security-bug, but since i filed it a month ago, nothing
happened, and i am still not sure about the servity of this bug.
Now, i am thinking about to retag it to security, but therefore I want
to obtain some opinions here.
Thanks,
Michael Stummvoll
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4f13fc42.1030...@stummi.org
