Date: Fri, 9 Jan 2015 07:52:44 +0100 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: CVE Assignments MITRE <cve-assign@...re.org>, Albert Astals Cid <aacid@....org> Subject: Re: CVE Request: kwallet: incorrect CBC encryption handling On Fri, Jan 09, 2015 at 07:02:38AM +0100, Salvatore Bonaccorso wrote: > Hi > > The following KDE Project Security Advisory was issued at > https://www.kde.org/info/security/advisory-20150109-1.txt . > > > Title: Fix kwalletd CBC encryption handling > > Risk Rating: Low > > Platforms: All > > Versions: kwalletd < Applications 14.12.1, KF5::KWallet < 5.6.0 > > Author: Valentin Rusu <kde@...u.info> > > Date: 9 January 2015 > > > > Overview > > ======== > > > > Until KDE Applications 14.12.0, kwalletd incorrectly handled CBC encryption blocks when > > encrypting secrets in kwl files. The secrets were still encrypted, but the > > result binary data corresponded to an ECB encrypted block instead of CBC. > > > > Impact > > ====== > > > > The ECB encryption algorithm, even if it'll scramble user data, it'll produce > > same encrypted byte sequence for the same input text. As a result, attackers > > may eventually find-out the encrypted text. > > > > Solution > > ======== > > > > For kde-runtime KWallet upgrade to KDE Applications 14.12.1 or apply the following patch: > > http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=14a8232d0b5b1bc5e0ad922292c6b5a1c501165c > > > > For KDE Frameworks 5 KWallet upgrade to 5.6.0 or apply the following patch: > > http://quickgit.kde.org/?p=kwallet.git&a=commit&h=6e588d795e6631c3c9d84d85fd3884a159b45849 > > > > Credits > > ======= > > > > Thanks to Itay Duvdevani for finding the issue and for letting us know. > > Thanks to Valentin Rusu for implementing the fix. > > Could you please assing a CVE for this issue? This is already CVE-2013-7252 I think. Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ