Re: CVE request for saltstack

[Kurt Seifried <kseifried () redhat com>]

Ahh to funny. Someone pointed out the commit to me and I didn't even think
to check if it got a CVE in the past. Please ignore my pre lunch
shenanigans.

On Thu, Aug 13, 2015 at 11:25 AM, Solar Designer <solar () openwall com> wrote:

> On Thu, Aug 13, 2015 at 11:06:10AM -0600, Kurt Seifried wrote:
> > So someone pointed this out to me:
> https://github.com/saltstack/salt/commit/e8ce66cf688b43aeb3e716e78b1af3a08e9940e3
> >      priv = '{0}.pem'.format(base)
> >      pub = '{0}.pub'.format(base)
> >
> > -    gen = RSA.gen_key(keysize, 1, callback=lambda x, y, z: None)
> > +    gen = RSA.gen_key(keysize, 65537, callback=lambda x, y, z: None)
> >      cumask = os.umask(191)
> >      gen.save_key(priv, None)
> >      os.umask(cumask)
> >
> > This is using the M2Crypto.RSA.
> >
> > TL;DR: doing RSA crypto with a public exponent value of "1" makes crypto
> > very fast. Fast is not always good.
> >
> > Can we get a CVE for this please?
>
> Duplicate CVE request, with wrong rationale this time (hilarious, though)?
>
> http://www.openwall.com/lists/oss-security/2013/07/01/1
>
> https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc
>
> http://stackoverflow.com/questions/17490282/why-is-this-commit-that-sets-the-rsa-public-exponent-to-1-problematic
> https://news.ycombinator.com/item?id=5993959
>
> Alexander



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com