oss-sec mailing list archives
Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request)
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 01 May 2012 13:03:56 +0200
* Florian Weimer:
* Vincent Danen:And you can group by encrypted column values in the database. That's why I'm not sure if it's actually possible to address this issue in a satisfying manner.So the encryption can be more fine-grained than just per-table? You can also do it per-column? If that's the case, this does sound a lot uglier to deal with.This test case suggests to me that you have to specify the list of encrypted columns explicitly: <http://elixir.ematia.de/trac/browser/elixir/trunk/tests/test_encryption.py> Based on this example, it's not clear to me if the current implementation supports get_by with an encrypted column. If this is a feature which needs preserving, there is no apparent way around convergent encryption.
So it turns out that this passes the assert: p = Person.get_by(password='r\\x9d\\xa8\\xb4\\x8d|\\xffp\\xf5\\x0e') assert p.name == 'Jonathan LaCour' But this fails because p is None: p = Person.get_by(ssn='123-45-6789') assert p.name == 'Jonathan LaCour' This suggests to me that get_by on an encrypted column is not actually supported. The documentation doesn't describe which queries are supported: <http://elixir.ematia.de/apidocs/elixir.ext.encrypted.html>
Current thread:
- weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Vincent Danen (Apr 27)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Florian Weimer (Apr 28)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Vincent Danen (Apr 30)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Florian Weimer (May 01)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Florian Weimer (May 01)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Vincent Danen (May 02)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Vincent Danen (Apr 30)
- Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request) Florian Weimer (Apr 28)