Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 2 Jan 2014 08:03:35 -0500 (EST)
From: cve-assign@...re.org
To: fweimer@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: kwallet crypto misuse

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://security.stackexchange.com/a/44010/32167

> then fill it with zeros; then XOR all these zeros with the data to
> encrypt (which won't change the data...); then proceed to encrypt each
> block independently of each other. This is, indeed, ECB mode, not CBC.
> It is quite obvious that this is a programming error ... This implies
> that the random IV which was computed does nothing here; it is
> encrypted by itself but does not impact any other byte in the whole
> file.

> From: Florian Weimer
> Should we treat this as a minor vulnerability?

Yes; use CVE-2013-7252.

> http://gaganpreet.in/blog/2013/07/24/kwallet-security-analysis/

> KWallet uses QDataStream, which encodes QString objects (used in
> KWallet maps) as UTF-16. So, the string "abcd" will be stored as
> "\0a\0b\0c\0d", which gives four bytes of information per block.

Does anyone know whether the KWallet user interface could make it
possible to enter passwords containing 16-bit characters (i.e.,
characters that cannot be represented using 8 bits)? If that would not
be possible, then this issue could potentially qualify for an
additional CVE assignment.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSxWKOAAoJEKllVAevmvmsb/gH/j2SfS2GXgaPa5K9OQ3d6fqw
1yqHOfxb3azeB2bsgj7bScNVA8oKZRFLiuI7mkEfeOB6bIltcHyA3ZE07fG4dgeh
B3yEe9+QUs5dWcAaTif+adbmT9+nU8hLRN09/D4lYUoI/y9SkSn4X0xe9jYfwoCE
tKE2VaCrqMVpYe/LD1T5Z9TPZR6oEEXet0t65T8LZgWbh1S+Qo3LMcyfeyBAnJ1q
qdspM0EPruNSTHjPJB0v/jP3x/iwMt2xuz6KAFyJqci6RpDMPUmw0JW2iSi2QLSS
Chk3tlfeunZHbYS3lueQpqHClqb0H0CN7gHunBvBZyLCj+TwMaLeqL/Y5bRfxEI=
=zyg0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ