Date: Sun, 29 Apr 2012 00:48:54 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Vincent Danen <vdanen@...hat.com> Subject: Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/27/2012 02:40 PM, Vincent Danen wrote: > Could a CVE be assigned for the following issue? > > It was reported that python-elixir, a library for ORM mapping on > top of SQLAlchemy with support for encrypting data stored in a > database, suffers from weak use of cryptography. It uses Blowfish > in CFB mode, which has an additional parameter (IV), which is not > specified and thus defaults to zero. CFB mode is only secure if > the the IV is unpredictable and different for every message. > Because of this, and because the encryption key is shared for each > database table (fields and rows), the same plaintext prefix is > always encrypted to an identical and corresponding ciphertext > prefix. As a result, an attacker with access to the database could > figure out the plaintext values of encrypted text. > > > References: > > https://bugzilla.redhat.com/show_bug.cgi?id=810013 > http://groups.google.com/group/sqlelixir/browse_thread/thread/efc16227514cffa?pli=1 > > http://elixir.ematia.de/trac/ticket/119 Please use CVE-2012-2146 for this issue. > > So far there has been no response from upstream, and we have what > I think is a suitable proposal to fix the flaw and a possible > migration script to ease migrating from an insecure encrypted db to > a secure one (noted in the google groups message). > > Not sure if anyone else is shipping python-elixir at all, but if > you are, input on the proposed fix and migration script (in the > absence of an upstream response) would be fantastic. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPnORNAAoJEBYNRVNeJnmTVt8P/iLnoj3xpoIKZLcJswL8ISLN EeQTjDJhSFo9J+HjpiWWFZQH/XDF3tJVPpJcy3E/sOLV4GRMDy7lW30WKBxlQOEb b3MO4UVutTIyI4cr5ry+GLINzF4/YaifwI1KOUsVEKRPU8WYjdSnTsvNAn7QmmrI XuXz+MVm8xcNHOTJ1VkQyVBerERTjWdiT/Ik425mvcRIcB0NV3ruOS3V48qfFqIx WRdvkVSeSqqWyoB202X82lCUcMPxv/zXT755WUB7lcXvrcTjn8WNBCMEAjXDifNC yHc0eFH7WW56pLzcSJUwN897xt+LAjDrntObKbXJ1epe4a5DtZhlWfkd4MpNAhSS A+7U3vNKPJxTJ9R99Dj8XBXGlh1mM+NaBcQN5/bDxduRTHCQLjCTYPAxrIlZXD6n 0JzBueDY003zzsUOqN/HuREI57+jNL+ODbzZz1/SHVUWcL6XEhAQF+R39osGV8Iu rZUFqX103nhSh7p4yEznTl2NtT3gyf2+6TiXgKfJAPfpchsEA9Ld14sp+FQjd4AN Rr7oqE8tiNecQwn58iAJ4vbYyhNcPOlB5eLEn6Oe8Wke707WBvP6M2NCP9pt0AwP itOMKo+Tbm42/bWEKUKo3L5VlCh2ZJBm1Efc1MkAl1qcT3VAeD6SiegTZD5DOVqy kQBYLJYUMlzt/WtXROBR =Ut6W -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ