oss-sec mailing list archives
Re: Re: Re: Re: cryptocat/decryptocat - needs a cve?
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 10 Jul 2013 13:53:42 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/10/2013 11:36 AM, security curmudgeon wrote:
In reference to Kurt's post: http://seclists.org/oss-sec/2013/q3/66 I went through the CryptoCat changelog, as well as the audit report from 2012 and broke out all the issues as I saw them. They are all live on OSVDB, which may help on CVE assignments: http://direct.osvdb.org/search?search%5Bvuln_title%5D=cryptocat&search%5Btext_type%5D=titles
You rock, thanks. Owe you a beer. Please use (same titles as OSVDB): CVE-2013-2257 Cryptocat Group Chat ECC Private Key Generation Brute Force Weakness CVE-2013-2258 Cryptocat Crafted Nickname User Impersonation Spoofing CVE-2013-2259 Cryptocat on Firefox Conversation Overview Nickname Arbitrary Code Execution CVE-2013-2260 Cryptocat Cryptocat.random() Function Array Key Entropy Weakness CVE-2013-2261 Cryptocat for Chrome manifest.json img/keygen.gif Software Detection Weakness CVE-2013-2262 Cryptocat strophe.js XMPP Request ID Prediction OTR Chat Activity Remote Disclosure CVE-2013-4100 Cryptocat Crafted Username Chat Remote DoS CVE-2013-4101 Cryptocat Link Markup Decorator addLinks() Function HTML Handling Weakness CVE-2013-4102 Cryptocat strophe.js Math.random() Function Random Number Generator (RNG) Weakness CVE-2013-4103 Cryptocat Crafted Data URI Remote Script Injection CVE-2013-4104 Cryptocat OTR Socialist Millionnaire Protocol Key Exchange Poisoning Weakness CVE-2013-4105 Cryptocat Multiparty Encryption Scheme AES-CTR Nonce Re-use Plaintext Traffic Disclosure CVE-2013-4106 Cryptocat Conversation Overview Nickname XSS CVE-2013-4107 Cryptocat cryptocat.js handlePresence() Function Nickname Change XSS CVE-2013-4108 Cryptocat Multiple Unspecified Minor Issues CVE-2013-4109 Cryptocat Message Handling Unspecified XSS CVE-2013-4110 Cryptocat Unspecified Chat Participant User List Disclosure - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJR3bvFAAoJEBYNRVNeJnmT1ksQAL/C09I0kmpMEB9J8kSF19x+ iQZYNmyK9Cslxl9pdG/HLeLGieFdhGMAJ9CgBMfW82Vil6VAU8AwGn+rG8RUZtdk cdhh6bGBvj3uLjgz+sabBZdCRSsu/LL6Y5INcQIVkvO5iIBF/HKqMRGBlmGygjdp fJfLQigoPFcZ1IfIABFv40mMZxr8v6ZMlqukmOVeTyjnDPjNgYzimCqe3kBQzBwE YA90sISausX5a68Tk3mkRMtsRfEQY7CXG666c/FO2sH+61CbQb8PhfuJ33TRWFog wDqaphzHgWbBoW11VSlmTcEjGsaL/oxCGrwSqFE4hdg1vWgmxpMNZq6LodVvxTh4 REZaPQtrlJiIJjxFOwHiYUIig+BShgw74iQ4SmTse5PqQ/Z76VQlutQzXqGKdZ/V xrl7AJvrUiEOHpmfkeS1x9feF85IY+MmDSIqVmRYr/wvClzTOHgFRNiBH4+FHUA1 axl+sLM8dlu4dFJdkPgf/HssQ26LDcLA7AmQxh1Fkb7NdvwGiGQ8F6fBz0JbyTMN VQ7R/cx2GDagsEaoMmYp3hTMKrJbBpN04OEr/YmE0XWlz3s9dPLswwLdDgI7JDgJ IGa+hfJCz58KK2JY1ztV0SyD75gcxhPpMxoblQnqlsDnV5lLbNrBLquKze9iXgxc YCpcKrjSVUT4q5OA5Rob =s1DF -----END PGP SIGNATURE-----
Current thread:
- cryptocat/decryptocat - needs a cve? Kurt Seifried (Jul 08)
- Re: cryptocat/decryptocat - needs a cve? Nadim Kobeissi (Jul 09)
- Re: Re: cryptocat/decryptocat - needs a cve? Kurt Seifried (Jul 09)
- Re: cryptocat/decryptocat - needs a cve? Nadim Kobeissi (Jul 10)
- Re: Re: cryptocat/decryptocat - needs a cve? Kurt Seifried (Jul 09)
- <Possible follow-ups>
- Re: Re: Re: cryptocat/decryptocat - needs a cve? security curmudgeon (Jul 10)
- Re: Re: Re: Re: cryptocat/decryptocat - needs a cve? Kurt Seifried (Jul 10)
- Re: cryptocat/decryptocat - needs a cve? Nadim Kobeissi (Jul 09)