oss-sec mailing list archives
Re: kwallet crypto misuse
From: cve-assign () mitre org
Date: Fri, 3 Jan 2014 20:40:18 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
ECB, which is bad at hiding patterns in data. For instance, if a password is stored more than once, an attacker can determine that this is likely to have been done, by noticing the corresponding pattern in the output. As far as I can see, this is now CVE-2013-7252.yep, agreed.
The short answer is that CVE-2013-7252 was assigned because of the sentence "It is quite obvious that this is a programming error" in the http://security.stackexchange.com/a/44010/32167 post. The motivation for the CVE assignment isn't that the end result is ECB. To try to make this slightly more general, we'll mention two scenarios in which a vendor writes some code, and the code has a certain characteristic for which the outcome is weaker security. Scenario A: Based on analysis of the code itself, one can reasonably conclude that the vendor WAS NOT trying to have that characteristic. Scenario B: Based on analysis of subject-matter references, one can reasonably conclude that the vendor SHOULD NOT HAVE BEEN trying to have that characteristic. We've written longer explanations here in the past, but: to a first-order approximation, CVE assignment is MOSTLY about Scenario A. Flippant example of Scenario B: the code calls ROT13 once. Flippant example of Scenario A: because of a logic error, the code calls ROT13 twice. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSx2TEAAoJEKllVAevmvmsgbwIAIhNUKwcOestofrbZDiTtET6 7QIG3rQ1vCzz7MoTQNuWc+pN3haZ0c4V777PclZLwkyOVcp28ALpSXbD/Q8phxO/ quH54HJ7r1gFbLTl2fK1kKopvrjzj8/9Q8yQUwzZNTHYErSjKNpkhvqKG/313x6t jbR/9HHwQGnQVYNvrr3VH81dxKCvc82C351dfktNy8GnX7aypF6KcJWCvWKh1u/V bc3Ttia+xT+rhh5Qo6PYsR/PBwnDszty7JDiCzh/RK8ksooIbYEOkAOcirM1YCu8 tE+JAZIZ+SVupHkrDGrQjdqqMMSby3k1bz34/oTToiZlaO0M0XNJc2l0StLD8HI= =GxjR -----END PGP SIGNATURE-----
Current thread:
- kwallet crypto misuse Florian Weimer (Jan 02)
- Re: kwallet crypto misuse cve-assign (Jan 02)
- Re: Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 02)
- Re: kwallet crypto misuse cve-assign (Jan 02)
- Re: Re: kwallet crypto misuse Kurt Seifried (Jan 02)
- Re: Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 02)
- Re: Re: kwallet crypto misuse Michael Samuel (Jan 02)
- Re: kwallet crypto misuse cve-assign (Jan 02)
- Re: kwallet crypto misuse gremlin (Jan 02)
- Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 03)
- Re: kwallet crypto misuse Simon McVittie (Jan 03)
- Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 03)
- Re: kwallet crypto misuse cve-assign (Jan 03)
- Re: kwallet crypto misuse Daniel Kahn Gillmor (Jan 03)
- Re: kwallet crypto misuse gremlin (Jan 04)