oss-sec mailing list archives
Re: cryptocat/decryptocat - needs a cve?
From: Nadim Kobeissi <nadim () nadim cc>
Date: Wed, 10 Jul 2013 13:06:01 -0400
On 2013-07-09, at 11:44 PM, Kurt Seifried <kseifried () redhat com> wrote:
On 07/09/2013 09:59 AM, Nadim Kobeissi wrote:No CVE has been assigned yet. Any assistance with this is welcome! NKOk sorry for the delay, I have some questions. Can you provide links to the code commits fixing these issues/give some details on them? Also I assume the Cryptocat 2.1 release fixes the decryptocat issue correct?
Cryptocat 2.1 does indeed fix the issue. Code commit: https://github.com/cryptocat/cryptocat/commit/5c69cb7d8543184d2f33944cb4129605d050ecad Blog post with comments: https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/
============== https://github.com/cryptocat/cryptocat/blob/master/CHANGELOG.md Cryptocat 2.1 Jun. 7 2013 Security enhancements and bug fixes. Updating is recommended. Cryptocat 2.0.42 Apr. 19 2013 Fixed a bug found in the encryption libraries that could partially weaken the security of multiparty Cryptocat messages. Cryptocat 2.0.22 Nov. 7 2012 This version pushes many important security fixes, detailed here on the Cryptocat Development Blog: https://blog.crypto.cat/2012/11/security-update-our-first-full-audit/ Cryptocat 2.0.19 Nov. 1 2012 Minor security fixes. ============== Second set of questions: Then in http://tobtu.com/decryptocat.php A number of other issues are mentioned, but I can't easily match them up to the changelog: Date introduced Days in Git Difficulty rating Jul 9, 2011 58 Passwords so probably broken Sep 5, 2011 6 *** Medium Sep 11, 2011 36 **** Hard Oct 15, 2011 2 ***** "Impossible" Oct 17, 2011 12 *** Medium Oct 29, 2011 191 ** Easy May 7, 2012 347 * Encraption Apr 19, 2013 45 *** Medium Jun 3, 2013 30+ ***** "Impossible" Can you provide links to the commits for these issues?
The thing is, Cryptocat only started being a serious project since the 2.0 release in late September 2012. Anything before that, to me, would simply not be worth of a CVE because it was nothing more than a bedroom project used by a handful of people. We only started getting funding and media coverage in July/August 2012, followed by a complete re-engineering and re-release of the project. THAT's why there are so many changes to the key size. NK
It looks like we need between 4 and 10+ CVEs in total. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- cryptocat/decryptocat - needs a cve? Kurt Seifried (Jul 08)
- Re: cryptocat/decryptocat - needs a cve? Nadim Kobeissi (Jul 09)
- Re: Re: cryptocat/decryptocat - needs a cve? Kurt Seifried (Jul 09)
- Re: cryptocat/decryptocat - needs a cve? Nadim Kobeissi (Jul 10)
- Re: Re: cryptocat/decryptocat - needs a cve? Kurt Seifried (Jul 09)
- <Possible follow-ups>
- Re: Re: Re: cryptocat/decryptocat - needs a cve? security curmudgeon (Jul 10)
- Re: Re: Re: Re: cryptocat/decryptocat - needs a cve? Kurt Seifried (Jul 10)
- Re: cryptocat/decryptocat - needs a cve? Nadim Kobeissi (Jul 09)