Bug 894487

Summary: python-pyrad: potentially predictable password hashing [fedora-all]
Product: [Fedora] Fedora Reporter: Nathaniel McCallum <npmccallum>
Component: python-pyradAssignee: Peter Lemenkov <lemenkov>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: security-response-team
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: python-pyrad-2.0-3.fc20 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-15 00:49:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 911682    

Description Nathaniel McCallum 2013-01-11 21:03:32 UTC 
pyrad uses Python's random module at multiple places (most prominently in packet.py). In the case of the authenticator data, this pseudo-random data is being used to secure a password sent over the wire. Unfortunately, Python's random module is not suitable for this purpose. The end result is a password hashing that may be predictable.
Comment 1 Nathaniel McCallum 2013-01-15 18:56:00 UTC 
A patch is available:
https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5
Comment 2 Vincent Danen 2013-02-15 16:03:25 UTC 
Please use the following update submission link to create the Bodhi
request for this issue as it contains the top-level parent bug(s) as well
as this tracking bug.  This will ensure that all associated bugs get
updated when new packages are pushed to stable.

Please also ensure that the "Close bugs when update is stable" option
remains checked.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=911682,894487
Comment 3 Vincent Danen 2013-02-20 17:16:31 UTC 
*** Bug 894488 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2013-09-05 12:00:26 UTC 
python-pyrad-2.0-3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/python-pyrad-2.0-3.fc19
Comment 5 Fedora Update System 2013-09-05 12:00:46 UTC 
python-pyrad-2.0-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/python-pyrad-2.0-3.fc18
Comment 6 Fedora Update System 2013-09-05 12:01:09 UTC 
python-pyrad-2.0-3.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/python-pyrad-2.0-3.fc20
Comment 7 Fedora Update System 2013-09-05 17:51:30 UTC 
Package python-pyrad-2.0-3.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing python-pyrad-2.0-3.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15838/python-pyrad-2.0-3.fc20
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-09-15 00:49:36 UTC 
python-pyrad-2.0-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-09-15 00:57:01 UTC 
python-pyrad-2.0-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-09-23 00:40:19 UTC 
python-pyrad-2.0-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.