[Openstack-security] [Bug 1319639] Re: Standard random number generators (using shuffle ) should not be used to generate randomness
OpenStack Infra
1319639 at bugs.launchpad.net
Thu Jul 10 08:46:04 UTC 2014
Reviewed: https://review.openstack.org/105779
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=063e515e780c241ddac755b0b9a2414316d983f5
Submitter: Jenkins
Branch: master
commit 063e515e780c241ddac755b0b9a2414316d983f5
Author: Ivan Kolodyazhny <e0ne at e0ne.info>
Date: Wed Jul 9 19:08:18 2014 +0300
Use PyCrypto to generate randomness passwords
Standard random generator is not secure enouph. Use PyCrypto instead.
Updated requirements.txt with pycrypto>=2.6 according to
global-requirements
Change-Id: I38fd47a30893a946de30fad95c57759781312be6
Closes: bug #1319639
** Changed in: cinder
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1319639
Title:
Standard random number generators (using shuffle ) should not be used
to generate randomness
Status in Cinder:
Fix Committed
Bug description:
In cinder code : /cinder/utils.py . Below two lines of code used
shuffle to generate a random number, Standard random number generators
should not be used to generate randomness used for security reasons.
Could we use a crytographic randomness generator to provide sufficient
entropy to instead of it?
# If length < len(symbolgroups), the leading characters will only
# be from the first length groups. Try our best to not be predictable
# by shuffling and then truncating.
r.shuffle(password) ----------------> This line of code has described issue.
password = password[:length]
length -= len(password)
# finally shuffle to ensure first x characters aren't from a
# predictable group
r.shuffle(password) ----------------> This line of code has described issue.
return ''.join(password)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1319639/+subscriptions
More information about the Openstack-security
mailing list