[Openstack-security] [Bug 1368040] Re: random.choice in /cinder/volume/utils.py may has potential security issue
Thierry Carrez
thierry.carrez+lp at gmail.com
Fri Sep 19 13:48:37 UTC 2014
** Tags added: security
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1368040
Title:
random.choice in /cinder/volume/utils.py may has potential security
issue
Status in Cinder:
Invalid
Status in OpenStack Compute (Nova):
Incomplete
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
The choice is used for security here, could we find out other more
security methods to generate randomness?
# NOTE(jerdfelt): Some password policies require at least one character
# from each group of symbols, so start off with one random character
# from each symbol group
password = [random.choice(s) for s in symbolgroups] --------------> This line has described issue
# If length < len(symbolgroups), the leading characters will only
# be from the first length groups. Try our best to not be predictable
# by shuffling and then truncating.
# then fill with random characters from all symbol groups
symbols = ''.join(symbolgroups)
password.extend([random.choice(symbols) for _i in xrange(length)]) --------------> This line has described issue
# finally shuffle to ensure first x characters aren't from a
# predictable group
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1368040/+subscriptions
More information about the Openstack-security
mailing list