Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Jan 2014 20:40:18 -0500 (EST)
From: cve-assign@...re.org
To: dkg@...thhorseman.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: kwallet crypto misuse

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > ECB, which is bad at hiding patterns in data. For instance, if a
> > password is stored more than once, an attacker can determine that this
> > is likely to have been done, by noticing the corresponding pattern in
> > the output. As far as I can see, this is now CVE-2013-7252.
> 
> yep, agreed.

The short answer is that CVE-2013-7252 was assigned because of the
sentence "It is quite obvious that this is a programming error" in the
http://security.stackexchange.com/a/44010/32167 post. The motivation
for the CVE assignment isn't that the end result is ECB.

To try to make this slightly more general, we'll mention two scenarios
in which a vendor writes some code, and the code has a certain
characteristic for which the outcome is weaker security.

Scenario A:
Based on analysis of the code itself, one can reasonably conclude that
the vendor WAS NOT trying to have that characteristic.

Scenario B:
Based on analysis of subject-matter references, one can reasonably
conclude that the vendor SHOULD NOT HAVE BEEN trying to have that
characteristic.

We've written longer explanations here in the past, but: to a
first-order approximation, CVE assignment is MOSTLY about Scenario A.

Flippant example of Scenario B: the code calls ROT13 once.

Flippant example of Scenario A: because of a logic error, the code
calls ROT13 twice.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSx2TEAAoJEKllVAevmvmsgbwIAIhNUKwcOestofrbZDiTtET6
7QIG3rQ1vCzz7MoTQNuWc+pN3haZ0c4V777PclZLwkyOVcp28ALpSXbD/Q8phxO/
quH54HJ7r1gFbLTl2fK1kKopvrjzj8/9Q8yQUwzZNTHYErSjKNpkhvqKG/313x6t
jbR/9HHwQGnQVYNvrr3VH81dxKCvc82C351dfktNy8GnX7aypF6KcJWCvWKh1u/V
bc3Ttia+xT+rhh5Qo6PYsR/PBwnDszty7JDiCzh/RK8ksooIbYEOkAOcirM1YCu8
tE+JAZIZ+SVupHkrDGrQjdqqMMSby3k1bz34/oTToiZlaO0M0XNJc2l0StLD8HI=
=GxjR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ