Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Aug 2015 20:25:38 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: security@...tstack.com
Subject: Re: CVE request for saltstack

On Thu, Aug 13, 2015 at 11:06:10AM -0600, Kurt Seifried wrote:
> So someone pointed this out to me:
> 
> https://github.com/saltstack/salt/commit/e8ce66cf688b43aeb3e716e78b1af3a08e9940e3
> 
>      priv = '{0}.pem'.format(base)
>      pub = '{0}.pub'.format(base)
> 
> -    gen = RSA.gen_key(keysize, 1, callback=lambda x, y, z: None)
> +    gen = RSA.gen_key(keysize, 65537, callback=lambda x, y, z: None)
>      cumask = os.umask(191)
>      gen.save_key(priv, None)
>      os.umask(cumask)
> 
> This is using the M2Crypto.RSA.
> 
> TL;DR: doing RSA crypto with a public exponent value of "1" makes crypto
> very fast. Fast is not always good.
> 
> Can we get a CVE for this please?

Duplicate CVE request, with wrong rationale this time (hilarious, though)?

http://www.openwall.com/lists/oss-security/2013/07/01/1
https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc
http://stackoverflow.com/questions/17490282/why-is-this-commit-that-sets-the-rsa-public-exponent-to-1-problematic
https://news.ycombinator.com/item?id=5993959

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ