Hi Jan and security team!

I won't have access to a machine where I can easily apply and test the patch until later next week. if any of you want to review and apply it, that would be great, otherwise I'll do so in about a week.

Cheers,

James

On Thu, Aug 7, 2014 at 7:43 AM, Jan Rusnacko <jrusnack@fedoraproject.org> wrote:

Hello James,

I am looking at old vulnerabilities and package you own, pwgen, currently has three of them: CVE-2013-4440, CVE-2013-4441 and CVE-2013-4442.

I contacted upstream author Theodore Ts`o, who acknowledged CVE-2013-4440 and CVE-2013-4442 are problems, but refused to merge fix proposed on the list (http://marc.info/?l=oss-security&m=137049241132104&w=4) for good reasons. I did analysis on CVE-2013-4441 and I believe it`s basically not fixable without breaking pwgen completely.

For the other two issues I wrote a patch and sent it upstream, but received no response. So, for the time being, could you please look at the patch and see if we can update pwgen in Fedora and EPEL to fix CVE-2013-4440 and CVE-2013-4442 ?

Thank you !
--
Jan Rusnacko, Fedora Security Team