Date: Sat, 10 Jan 2015 17:23:05 +0100 From: Albert Astals Cid <aacid@....org> To: Marcus Meissner <meissner@...e.de> Cc: oss-security@...ts.openwall.com, CVE Assignments MITRE <cve-assign@...re.org>, security@....org Subject: Re: CVE Request: kwallet: incorrect CBC encryption handling El Divendres, 9 de gener de 2015, a les 07:52:44, Marcus Meissner va escriure: > On Fri, Jan 09, 2015 at 07:02:38AM +0100, Salvatore Bonaccorso wrote: > > Hi > > > > The following KDE Project Security Advisory was issued at > > https://www.kde.org/info/security/advisory-20150109-1.txt . > > > > > Title: Fix kwalletd CBC encryption handling > > > Risk Rating: Low > > > Platforms: All > > > Versions: kwalletd < Applications 14.12.1, KF5::KWallet < 5.6.0 > > > Author: Valentin Rusu <kde@...u.info> > > > Date: 9 January 2015 > > > > > > Overview > > > ======== > > > > > > Until KDE Applications 14.12.0, kwalletd incorrectly handled CBC > > > encryption blocks when encrypting secrets in kwl files. The secrets > > > were still encrypted, but the result binary data corresponded to an ECB > > > encrypted block instead of CBC. > > > > > > Impact > > > ====== > > > > > > The ECB encryption algorithm, even if it'll scramble user data, it'll > > > produce same encrypted byte sequence for the same input text. As a > > > result, attackers may eventually find-out the encrypted text. > > > > > > Solution > > > ======== > > > > > > For kde-runtime KWallet upgrade to KDE Applications 14.12.1 or apply the following patch: > > > http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=14a8232d0b5b1bc5 > > > e0ad922292c6b5a1c501165c> > > > > For KDE Frameworks 5 KWallet upgrade to 5.6.0 or apply the following patch: > > > http://quickgit.kde.org/?p=kwallet.git&a=commit&h=6e588d795e6631c3c9d8 > > > 4d85fd3884a159b45849> > > > > Credits > > > ======= > > > > > > Thanks to Itay Duvdevani for finding the issue and for letting us know. > > > Thanks to Valentin Rusu for implementing the fix. > > > > Could you please assing a CVE for this issue? > > This is already CVE-2013-7252 I think. Looks like it is. Thanks for the help guys. Best Regards, Albert > > Ciao, Marcus
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ