Date: Tue, 13 Oct 2015 20:21:54 +0200 From: Gijs Hollestelle <g.hollestelle@...il.com> To: oss-security@...ts.openwall.com Subject: CVE Request: Openpgp.js Critical vulnerability in S2K Hi, A vulnerability in the S2K function of OpenPGP.js allows to produce a predictable session key without knowing the passphrase. An attacker is able to create a private PGP key that will decrypt in OpenPGP.js regardless of the passphrase given. Also using this flaw it is possible to forge a symmetrically encrypted PGP message (Symmetric-Key Encrypted Session Key Packets (Tag 3)) that will decrypt with any passphrase in OpenPGP.js. This can be an attack vector if successful decryption of such a message is used as an authentication mechanism. The bug is fixed with a strict check on unknown S2K types. Info: https://firstname.lastname@example.org/msg00918.html Fixed by: https://github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54306d29 Fixen in: OpenPGP.js v1.3.0 Could a CVE please be assigned to this issue? Regards, Gijs
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.