Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 10 Jan 2015 17:23:05 +0100
From: Albert Astals Cid <aacid@....org>
To: Marcus Meissner <meissner@...e.de>
Cc: oss-security@...ts.openwall.com, CVE Assignments MITRE <cve-assign@...re.org>, security@....org
Subject: Re: CVE Request: kwallet: incorrect CBC encryption handling

El Divendres, 9 de gener de 2015, a les 07:52:44, Marcus Meissner va escriure:
> On Fri, Jan 09, 2015 at 07:02:38AM +0100, Salvatore Bonaccorso wrote:
> > Hi
> > 
> > The following KDE Project Security Advisory was issued at
> > https://www.kde.org/info/security/advisory-20150109-1.txt .
> > 
> > > Title:          Fix kwalletd CBC encryption handling
> > > Risk Rating:    Low
> > > Platforms:      All
> > > Versions:       kwalletd < Applications 14.12.1, KF5::KWallet < 5.6.0
> > > Author:         Valentin Rusu <kde@...u.info>
> > > Date:           9 January 2015
> > > 
> > > Overview
> > > ========
> > > 
> > > Until KDE Applications 14.12.0, kwalletd incorrectly handled CBC
> > > encryption blocks when encrypting secrets in kwl files. The secrets
> > > were still encrypted, but the result binary data corresponded to an ECB
> > > encrypted block instead of CBC.
> > > 
> > > Impact
> > > ======
> > > 
> > > The ECB encryption algorithm, even if it'll scramble user data, it'll
> > > produce same encrypted byte sequence for the same input text. As a
> > > result, attackers may eventually find-out the encrypted text.
> > > 
> > > Solution
> > > ========
> > > 
> > > For kde-runtime KWallet upgrade to KDE Applications 14.12.1 or apply the 
following patch:
> > >   http://quickgit.kde.org/?p=kde-runtime.git&a=commit&h=14a8232d0b5b1bc5
> > >   e0ad922292c6b5a1c501165c> > 
> > > For KDE Frameworks 5 KWallet upgrade to 5.6.0 or apply the following 
patch:
> > >   http://quickgit.kde.org/?p=kwallet.git&a=commit&h=6e588d795e6631c3c9d8
> > >   4d85fd3884a159b45849> > 
> > > Credits
> > > =======
> > > 
> > > Thanks to Itay Duvdevani for finding the issue and for letting us know.
> > > Thanks to Valentin Rusu for implementing the fix.
> > 
> > Could you please assing a CVE for this issue?
> 
> This is already CVE-2013-7252 I think.

Looks like it is. Thanks for the help guys.

Best Regards,
  Albert

> 
> Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ