Date: Fri, 3 Jan 2014 20:40:18 -0500 (EST) From: cve-assign@...re.org To: dkg@...thhorseman.net Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: kwallet crypto misuse -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > ECB, which is bad at hiding patterns in data. For instance, if a > > password is stored more than once, an attacker can determine that this > > is likely to have been done, by noticing the corresponding pattern in > > the output. As far as I can see, this is now CVE-2013-7252. > > yep, agreed. The short answer is that CVE-2013-7252 was assigned because of the sentence "It is quite obvious that this is a programming error" in the http://security.stackexchange.com/a/44010/32167 post. The motivation for the CVE assignment isn't that the end result is ECB. To try to make this slightly more general, we'll mention two scenarios in which a vendor writes some code, and the code has a certain characteristic for which the outcome is weaker security. Scenario A: Based on analysis of the code itself, one can reasonably conclude that the vendor WAS NOT trying to have that characteristic. Scenario B: Based on analysis of subject-matter references, one can reasonably conclude that the vendor SHOULD NOT HAVE BEEN trying to have that characteristic. We've written longer explanations here in the past, but: to a first-order approximation, CVE assignment is MOSTLY about Scenario A. Flippant example of Scenario B: the code calls ROT13 once. Flippant example of Scenario A: because of a logic error, the code calls ROT13 twice. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSx2TEAAoJEKllVAevmvmsgbwIAIhNUKwcOestofrbZDiTtET6 7QIG3rQ1vCzz7MoTQNuWc+pN3haZ0c4V777PclZLwkyOVcp28ALpSXbD/Q8phxO/ quH54HJ7r1gFbLTl2fK1kKopvrjzj8/9Q8yQUwzZNTHYErSjKNpkhvqKG/313x6t jbR/9HHwQGnQVYNvrr3VH81dxKCvc82C351dfktNy8GnX7aypF6KcJWCvWKh1u/V bc3Ttia+xT+rhh5Qo6PYsR/PBwnDszty7JDiCzh/RK8ksooIbYEOkAOcirM1YCu8 tE+JAZIZ+SVupHkrDGrQjdqqMMSby3k1bz34/oTToiZlaO0M0XNJc2l0StLD8HI= =GxjR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ