[Openstack-security] [Bug 1319639] Re: Standard random number generators (using shuffle ) should not be used to generate randomness
Jeremy Stanley
fungi at yuggoth.org
Wed May 28 19:39:39 UTC 2014
I've removed the advisory task, switched the bug from public security
(indicating some sort of actual vulnerability) to public, and added the
"security" tag to indicate it's a potential strengthening opportunity.
** No longer affects: ossa
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1319639
Title:
Standard random number generators (using shuffle ) should not be used
to generate randomness
Status in Cinder:
Triaged
Bug description:
In cinder code : /cinder/utils.py . Below two lines of code used
shuffle to generate a random number, Standard random number generators
should not be used to generate randomness used for security reasons.
Could we use a crytographic randomness generator to provide sufficient
entropy to instead of it?
# If length < len(symbolgroups), the leading characters will only
# be from the first length groups. Try our best to not be predictable
# by shuffling and then truncating.
r.shuffle(password) ----------------> This line of code has described issue.
password = password[:length]
length -= len(password)
# finally shuffle to ensure first x characters aren't from a
# predictable group
r.shuffle(password) ----------------> This line of code has described issue.
return ''.join(password)
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1319639/+subscriptions
More information about the Openstack-security
mailing list