Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Jan 2014 10:32:09 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Cc: fweimer@...hat.com, cve-assign@...re.org
Subject: Re: Re: kwallet crypto misuse

>
> > KWallet uses QDataStream, which encodes QString objects (used in
> > KWallet maps) as UTF-16. So, the string "abcd" will be stored as
> > "\0a\0b\0c\0d", which gives four bytes of information per block.
>
> Does anyone know whether the KWallet user interface could make it
> possible to enter passwords containing 16-bit characters (i.e.,
> characters that cannot be represented using 8 bits)? If that would not
> be possible, then this issue could potentially qualify for an
> additional CVE assignment.
>

I don't think another CVE is warranted - this just amplifies the original
vulnerability.

Implementing a cryptographic store (eg. a cryptographic file protocol) is
non-trivial and the KDE developers might wish to seek help with this -
perhaps a wiki page?

Regards,
  Michael

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ