Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Jan 2015 07:02:38 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Cc: CVE Assignments MITRE <cve-assign@...re.org>,
	Albert Astals Cid <aacid@....org>
Subject: CVE Request: kwallet: incorrect CBC encryption handling

Hi

The following KDE Project Security Advisory was issued at
https://www.kde.org/info/security/advisory-20150109-1.txt .

> Title:          Fix kwalletd CBC encryption handling
> Risk Rating:    Low
> Platforms:      All
> Versions:       kwalletd < Applications 14.12.1, KF5::KWallet < 5.6.0
> Author:         Valentin Rusu <kde@...u.info>
> Date:           9 January 2015
> 
> Overview
> ========
> 
> Until KDE Applications 14.12.0, kwalletd incorrectly handled CBC encryption blocks when
> encrypting secrets in kwl files. The secrets were still encrypted, but the
> result binary data corresponded to an ECB encrypted block instead of CBC.
> 
> Impact
> ======
> 
> The ECB encryption algorithm, even if it'll scramble user data, it'll produce
> same encrypted byte sequence for the same input text. As a result, attackers
> may eventually find-out the encrypted text.
> 
> Solution
> ========
> 
> For kde-runtime KWallet upgrade to KDE Applications 14.12.1 or apply the following patch:
>   http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=14a8232d0b5b1bc5e0ad922292c6b5a1c501165c
> 
> For KDE Frameworks 5 KWallet upgrade to 5.6.0 or apply the following patch:
>   http://quickgit.kde.org/?p=kwallet.git&a=commit&h=6e588d795e6631c3c9d84d85fd3884a159b45849
> 
> Credits
> =======
> 
> Thanks to Itay Duvdevani for finding the issue and for letting us know.
> Thanks to Valentin Rusu for implementing the fix.

Could you please assing a CVE for this issue?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ