Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 13 Jan 2014 03:59:01 -0500
From: George Staikos <>
To: Florian Weimer <>
Subject: Re: kwallet crypto misuse

This issue has been known for years but it seems kwallet is unmaintained. I
had to stop working on it before I could fix this,  among other issues.
Somebody should fix the crypto, yes, though I'm not sure how urgent an
issue this really is.
 On Jan 2, 2014 3:15 AM, "Florian Weimer" <> wrote:

> I just noticed this is now public:
> <>
> Short summary: kwallet uses Blowfish to encrypt its password store, and
> despite an attempt at implementing CBC mode (in a file called no
> less), it's actually ECB mode.  UTF-16 encoding combined with Blowfish's 64
> bit block size means there are just four password characters per block.
>  Encryption is convergent as well.  This may enable recovery of passwords
> through codebook attacks.
> Should we treat this as a minor vulnerability?
> --
> Florian Weimer / Red Hat Product Security Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ