yahoo-eng-team team mailing list archive

[Zhang Yun <zhangyun@xxxxxxxxxx>]

The same method used in /nova/virt/disk/api.py:

'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
 '0123456789./')
 salt = 16 * ' '
 return ''.join([random.choice(salt_set) for c in salt])  --------------> This line has described issue


def _set_passwd(username, admin_passwd, passwd_data, shadow_data):

** Also affects: nova
   Importance: Undecided
       Status: New

** Also affects: cinder
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1368040

Title:
  random.choice in /cinder/volume/utils.py may has potential security
  issue

Status in Cinder:
  New
Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Advisories:
  New

Bug description:
  The choice is used for security here,  could we find out other more
  security methods to generate randomness?

  # NOTE(jerdfelt): Some password policies require at least one character
  # from each group of symbols, so start off with one random character
   # from each symbol group
   password = [random.choice(s) for s in symbolgroups] --------------> This line has described issue
  # If length < len(symbolgroups), the leading characters will only
   # be from the first length groups. Try our best to not be predictable
   # by shuffling and then truncating.


  
  # then fill with random characters from all symbol groups
  symbols = ''.join(symbolgroups)
   password.extend([random.choice(symbols) for _i in xrange(length)]) --------------> This line has described issue

   # finally shuffle to ensure first x characters aren't from a
   # predictable group

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1368040/+subscriptions