I reviewed libpwquality version 1.2.3-1 as checked into trusty. This
should not be considered a full security audit, but rather a quick gauge
of code quality.
- libpwquality provides a PAM module and several binaries to provide
feedback on the quality of passwords
- Primary interface is via the pam_sm_chauthtok() function in the PAM
stack; two binaries, pwscore and pwmake are also provided. There are
also library bindings available for both C and Python.
- Build-depends upon libcrack2, libpam0g, python-all-dev, gnome-pkg-tools
- Does not daemonize
- Does not itself listen on the network
- In usual use, does not run as system user
- Package scripts properly clean up
- No initscripts
- No Dbus services
- No setuid
- No sudo fragments
- No udev rules
- No cronjobs
- No tests
- Clean build logs
- No subprocesses spawned
- Memory management looked careful
- Files are only read; configuration file, passwd file, /dev/urandom
- Logging functions looked safe, didn't appear to log failed passwords
- No environment variables
- Does not manage privileges
- No encryption
- No networking
- No privileged portions of code
- No tmp files
- No WebKit
- No PolicyKit
- pwmake and pwscore are not PIE
- Some warnings from the build:
dpkg-shlibdeps: warning: package could avoid a useless dependency if
debian/python-pwquality/usr/lib/python2.7/dist-packages/pwquality.so was
not linked against libpthread.so.0 (it uses none of the library's symbols)
dpkg-gencontrol: warning: Pre-Depends field of package
libpwquality-common: unknown substitution variable ${misc:Pre-Depends}
dpkg-gencontrol: warning: package python-pwquality: unused substitution
variable ${python:Versions}
Most of this library is well-programmed with clear and easy code; the
password generation logic is overcomplicated by accounting for bits of
entropy consumed rather than bytes of entropy consumed but I did not
spot any flaws in the functions.
The function is free from many common mistakes such as using a weak PRNG,
or poorly seeding a PRNG, or using the PRNG in a manner that biases
outputs. Sometimes the output starts with a consonants2, sometimes with a
vowel; output never starts with a consonants1. This roughly doubles the
strength of the password for the given number of bits desired.
Many of the quality checks assume an iso-8859-* family of password or
username encodings; I suspect the value of the checks on UTF-8 passwords
with codepoints that do not match iso-8859-1 characters will be very low.
Please investigate the dpkg warnings.
Security team ACK for promoting to main.
Thanks
** Changed in: libpwquality (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1017285
Title:
[MIR] libpwquality
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpwquality/+bug/1017285/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
