Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Oct 2015 15:39:52 -0400
From: Larry Cashdollar <larry0@...com>
To: Open Security <oss-security@...ts.openwall.com>
Cc: cve-assign@...re.org
Subject: Re: CVE request for sqlalchemy-utils

I stopped asking.

From:  <robert@...ert.io>
Reply-To:  Open Security <oss-security@...ts.openwall.com>
Date:  Sunday, October 18, 2015 at 3:21 PM
To:  Open Security <oss-security@...ts.openwall.com>
Cc:  <cve-assign@...re.org>
Subject:  Re: [oss-security] CVE request for sqlalchemy-utils

I've been told I should check-in after a couple of weeks without a
response. Is there any more information I can provide to help you make a
decision?

>From the discussion on the bug tracker, this was a design decision, but
at least some users of the library weren't aware of it. As far as I know
it wasn't / isn't documented. I noticed the issue when reviewing the
code for Netflix's Lemur tool and they were not previously aware of the
issue: https://github.com/Netflix/lemur/issues/117
 
- Robert

On Tue, Oct 6, 2015, at 02:10 PM, robert@...ert.io wrote:
>  Description: I noticed that the sqlalchemy-utils package's EncryptedType
>  does not use a random IV when encrypting with AES in CBC mode. It
>  generates a SHA256 hash of the user's key and uses the first 16 bytes of
>  that hash as the IV (and the full hash as the encryption key). The
>  result is that for a given key, the IV will always be the same.
>  
>  Reported here: https://github.com/kvesteri/sqlalchemy-utils/issues/166
>  Version: Current. I'm not sure what the version history of this package
>  looks like, though.
>  Reporter: Robert Picard
>  
>  Please assign a CVE if you feel it would be appropriate for this bug.
>  
>  - Robert




Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ