Bug 14809

Summary: pwgen new security issues CVE-2013-4440 and CVE-2013-4442
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/626425/
Whiteboard: advisory has_procedure MGA4-32-OK MGA4-64-OK
Source RPM: pwgen-2.06-11.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-12-15 20:23:45 CET 
Fedora has issued an advisory on December 6:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146237.html

The issues are fixed upstream in 2.07.

The update is checked into Mageia 4 and Cauldron SVN.

Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2014-12-15 21:12:17 CET

URL: (none) => http://lwn.net/Vulnerabilities/626425/

Comment 1 David Walser 2014-12-16 13:28:47 CET 
Updated packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated pwgen package fixes security vulnerabilities:

Pwgen was found to generate weak non-tty passwords by default, which could
be brute-forced with a commendable success rate, which could raise security
concerns (CVE-2013-4440).

Pwgen was found to silently falling back to use standard pseudo generated
numbers on the systems that heavily use entropy. Systems, such as those with
a lot of daemons providing encryption services, the entropy was found to be
exhausted, which forces pwgen to fall back to use standard pseudo generated
numbers (CVE-2013-4442).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4442
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146237.html
========================

Updated packages in core/updates_testing:
========================
pwgen-2.07-1.mga4

from pwgen-2.07-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs

Comment 2 olivier charles 2014-12-16 15:03:03 CET 
Testing on Mageia4x32 real hardware
Didn't find any PoC concerning security vulnerabilities so tested current and testing packages to see if any regression could be found.

Current package :
----------------
pwgen-2.06-9.mga4

Generated 3 aleatory passwords with 9 characters
$ pwgen 9 3
Wah7xeixe yaipaej9A veum2zieG

Re-did it to verify it didn't give same result = OK

Same with a password by line
$ pwgen -1 9 3
Wae9ohngu
yij3Zae9c
aeChoo0Vi

In a directory containing a file named boite.jpg 
Generate a non-aleatory password from this file and word mageia :
$ pwgen -sy -H boite.jpg#mageia 9 3
[|3ir^qJl U}9hcF7L/ ][/F1)j=^

Did it a second time to verify it gave same results = OK

Updated testing package :
-----------------------
pwgen-2.07-1.mga4

Ran same tests, all OK, verified that pwgen -sy -H boite.jpg#mageia 9 3 still gave same result = OK

CC: (none) => olchal
Whiteboard: (none) => MGA4-32-OK

Comment 3 olivier charles 2014-12-17 20:30:46 CET 
Testing on Mageia4x64 real hardware

using same procedure as in comment 2

From pwgen-2.06-9.mga4
To pwgen-2.07-1.mga4

All OK

Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2014-12-18 22:26:48 CET 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory has_procedure MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-19 16:07:24 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0535.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED