oss-security - CVE Request: Python keyring

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Fri, 05 Oct 2012 16:21:57 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: coley@...us.mitre.org
CC: oss-security@...ts.openwall.com
Subject: CVE Request: Python keyring

Hello,

Python keyring before 0.9.1 was using the user-supplied password insecurely.

>From the 0.9.1 changelog:

CryptedFileKeyring now uses PBKDF2 to derive the key from the user's
password and a random hash. The IV is chosen randomly as well. All the
stored passwords are encrypted at once. Any keyrings using the old
format will be automatically converted to the new format (but will no
longer be compatible with 0.9 and earlier). The user's password is no
longer limited to 32 characters. PyCrypto 2.5 or greater is now required
for this keyring.

See:

http://pypi.python.org/pypi/keyring#id2
https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845

Thanks,

Marc.

-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.