Date: Fri, 3 Jan 2014 10:32:09 +1100 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Cc: fweimer@...hat.com, cve-assign@...re.org Subject: Re: Re: kwallet crypto misuse > > > KWallet uses QDataStream, which encodes QString objects (used in > > KWallet maps) as UTF-16. So, the string "abcd" will be stored as > > "\0a\0b\0c\0d", which gives four bytes of information per block. > > Does anyone know whether the KWallet user interface could make it > possible to enter passwords containing 16-bit characters (i.e., > characters that cannot be represented using 8 bits)? If that would not > be possible, then this issue could potentially qualify for an > additional CVE assignment. > I don't think another CVE is warranted - this just amplifies the original vulnerability. Implementing a cryptographic store (eg. a cryptographic file protocol) is non-trivial and the KDE developers might wish to seek help with this - perhaps a wiki page? Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ