Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Oct 2015 12:21:59 -0700
From: robert@...ert.io
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request for sqlalchemy-utils

I've been told I should check-in after a couple of weeks without a
response. Is there any more information I can provide to help you make a
decision?

>From the discussion on the bug tracker, this was a design decision, but
at least some users of the library weren't aware of it. As far as I know
it wasn't / isn't documented. I noticed the issue when reviewing the
code for Netflix's Lemur tool and they were not previously aware of the
issue: https://github.com/Netflix/lemur/issues/117
 
- Robert

On Tue, Oct 6, 2015, at 02:10 PM, robert@...ert.io wrote:
> Description: I noticed that the sqlalchemy-utils package's EncryptedType
> does not use a random IV when encrypting with AES in CBC mode. It
> generates a SHA256 hash of the user's key and uses the first 16 bytes of
> that hash as the IV (and the full hash as the encryption key). The
> result is that for a given key, the IV will always be the same.
> 
> Reported here: https://github.com/kvesteri/sqlalchemy-utils/issues/166
> Version: Current. I'm not sure what the version history of this package
> looks like, though.
> Reporter: Robert Picard
> 
> Please assign a CVE if you feel it would be appropriate for this bug.
> 
> - Robert

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ