Your message dated Sun, 25 Aug 2024 08:34:38 +0000
with message-id <[email protected]>
and subject line Bug#987952: fixed in apg 2.2.3.dfsg.1-7
has caused the Debian Bug report #987952,
regarding apg: security concerns in apg
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
987952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987952
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apg
Version: 2.2.3.dfsg.1-5+b2
Severity: normal
Tags: security
Hey.
I was thinking about a number of security concernts, and since I'm no
expert, maybe someone else has an idea:
1) Attack on pronouncable passwords?
Via https://en.wikipedia.org/wiki/Random_password_generator#Stronger_methods
I've stumbled over:
Ganesan, Ravi; Davies, Chris (1994). "A New Attack on Random Pronounceable
Password Generators"
http://csrc.nist.gov/publications/history/nissc/1994-17th-NCSC-proceedings-vol-1.pdf
and
http://www.andrew.cmu.edu/user/nicolasc/publications/Shay-SOUPS12.pdf
The former seems to be an attack on what I guess apg is dowing when -a 0?
So maybe, if that is real, one should warn against using -a 0?
2) Are symbolls well distributed?
The following is really absolutely NOT solid, and probably just stupid
perception of mine
For many years now I've used:
APG_PARM="-c /dev/urandom -a 1 -M SNCL -m 32 -x 32"
and I kinda always had the impression that special symbols are way
over-represented, e.g.
6^20:#;$0dZw7%AWM{@rVX']TK2q3(kX
IHxb*Yse?^@Kx[kZhxJp;4nOPCRxfhe(
ty%'a}U{+A)@>r|4;_#$yP^9[ZVXLTN<
5Fz_0.&_rK2+[3vBC0IRODQD5B]M#T9u
m#_dRg@x@)\mgbbz57,.||(!g5D`R={d
++4v%Ozl3Ae[e<y0|;W^\\!*zjzW@iFY
I had a *very brief* look over the code and couldn't find anything
obvious, that would cause troubles in the random distribution,
but again it was *very brief* and I'm all but an expert.
I tried to do some poor-man testing via something like:
apg -n 10000 -a 1 -M SNCL -m 32 -x 32 | sed "s/\(.\)/\1\n/g" | sort | uniq -c
| sort -k 2
But that seems to show that each symbol gets a similar share when
the numbers are large enough.
So probably my whole point (2) is rubbish, anyway, some expert may
have more insight.
Cheers,
Chris.
--- End Message ---
--- Begin Message ---
Source: apg
Source-Version: 2.2.3.dfsg.1-7
Done: Marc Haber <[email protected]>
We believe that the bug you reported is fixed in the latest version of
apg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Haber <[email protected]> (supplier of updated apg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 25 Aug 2024 09:34:03 +0200
Source: apg
Architecture: source
Version: 2.2.3.dfsg.1-7
Distribution: unstable
Urgency: medium
Maintainer: Marc Haber <[email protected]>
Changed-By: Marc Haber <[email protected]>
Closes: 987952 1079041
Changes:
apg (2.2.3.dfsg.1-7) unstable; urgency=medium
.
* fix wrong clamp-mtime expression in debian/rules.
Thanks to Chris Lamb (Closes: #1079041)
* apply more man page pages regarding security warnings.
Thanks to Christoph Anton Mitterer (Closes: #987952)
Checksums-Sha1:
996ce15bb4832a8281c349b1d531476abfb908e2 1830 apg_2.2.3.dfsg.1-7.dsc
d52aadaeb678452f904f6343b5c028dcea9cc05e 11200 apg_2.2.3.dfsg.1-7.debian.tar.xz
47aa8ee2115196ba7022bbaa7027c5e5736f1e1b 5664
apg_2.2.3.dfsg.1-7_source.buildinfo
Checksums-Sha256:
65cd166ad098318693a7da889af5e6dd0481896656bb28e5bf5f9b0118138ea3 1830
apg_2.2.3.dfsg.1-7.dsc
b0ad9f6ad18e8ed5ad32b4cf359438f57eda4dce071664fa5f7a359537132bc6 11200
apg_2.2.3.dfsg.1-7.debian.tar.xz
b001b17249e8da0c08616c5b7fe5bc7882cb9efa0c080b8f5cbb11802dcf2032 5664
apg_2.2.3.dfsg.1-7_source.buildinfo
Files:
d23fe6ff5695f87a0de40a13a767f762 1830 admin optional apg_2.2.3.dfsg.1-7.dsc
479338431f72b0955d3ae001c5de73b5 11200 admin optional
apg_2.2.3.dfsg.1-7.debian.tar.xz
2a520f0e9d3f0a85b74ce589ddd50760 5664 admin optional
apg_2.2.3.dfsg.1-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE6QL5UJ/L0pcuNEbjj3cgEwEyBEIFAmbK45wACgkQj3cgEwEy
BEIbkBAA1KeIL97rqSWl1wxd2yTdOUNYTF4v9J/d3QmdfZAKpUPoc8rUaDLT8iXh
ATUNuAMaSuoE6vjQ+7WE3mVh8szJkEqLs8PCK05Zm8pBnZ4DnvfYT4oIRqUfJ/Uz
OBO+wGPGCZ/iYnn2D4HibEA+E4Hre0E/Kc8TuaaO3nJURDnASUnWTw7Y43/3lDng
QLLdZfISS8CZzJksgef3TQnDX0Sp0+EOnj4y81YRObJv+joL5we4Qv4tLMlp1fyN
UYNu+sqRBibYelmJ9h74XNWjGV5pwazE4Z2HJ8QpMIJ0IEvHTwIPozpzPRLD5S3Y
NCx0Xn8NPsf216xcMkMMBC5Tq8eh+ace6SJXxUK6I0aIKtth2hl/OtN3GtJBW8IZ
vEsLjco5bHz++BUH3UFrxp+DgcR37C0e5oQgyYxZ2QTlo0IWuA/PIgyUQcotmHTx
4Af0NUzkYYxdlRB56Wfg1lwfxdMoYqNPgVXJSIPu3WKldSdiQ4NNiSAOXLiyOJfi
VcE0j/gr76AqaJSGB16aGl2H6J8kfhU2SALaPD5px146vQIzwKSsJrTv5JAMD4IS
2BG9gsuHmlCO0ayoKadG4YB/RO5GHVeNOPmCP33PIxijL0XjimqQ2RqWMjkfanin
skB8DVGbj9a7VYOraNR3dHTIZeuErIuqPl88MSxlqfZ2j6dazJs=
=s/kj
-----END PGP SIGNATURE-----
pgp2LPBjZCfCL.pgp
Description: PGP signature
--- End Message ---
