[Openstack-security] [Bug 1319639] Re: Standard random number generators (using shuffle ) should not be used to generate randomness
John Griffith
1319639 at bugs.launchpad.net
Tue Jun 10 19:49:35 UTC 2014
** Changed in: cinder
Milestone: juno-1 => juno-2
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1319639
Title:
Standard random number generators (using shuffle ) should not be used
to generate randomness
Status in Cinder:
Triaged
Bug description:
In cinder code : /cinder/utils.py . Below two lines of code used
shuffle to generate a random number, Standard random number generators
should not be used to generate randomness used for security reasons.
Could we use a crytographic randomness generator to provide sufficient
entropy to instead of it?
# If length < len(symbolgroups), the leading characters will only
# be from the first length groups. Try our best to not be predictable
# by shuffling and then truncating.
r.shuffle(password) ----------------> This line of code has described issue.
password = password[:length]
length -= len(password)
# finally shuffle to ensure first x characters aren't from a
# predictable group
r.shuffle(password) ----------------> This line of code has described issue.
return ''.join(password)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1319639/+subscriptions
More information about the Openstack-security
mailing list