Package: whois
Version: 4.7.32
Severity: normal
Tags: security
Hi!
While discussing bug 505640, I noticed that "mkpasswd" doesn't really
belongs in the whois package.
Additionally, the code is buggy and not very random:
srand(time(NULL) + getpid());
This needs to at least use /dev/urandom, or sec+usec as done in shadow.
Nicolas François also noted:
There is also a bug that it does not accept salt smaller than 16 bytes for
sha-256 and sha-512. This does not conform to
http://people.redhat.com/drepper/SHA-crypt.txt
I would recommend dropping mkpasswd (potentially in favor of a PAM-based
tool as discussed in bug 505640).
Thanks,
-Kees
--
Kees Cook @debian.org
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
