Re: CVE request for sqlalchemy-utils

[Larry Cashdollar <larry0 () me com>]

I stopped asking.

From:  <robert () robert io>
Reply-To:  Open Security <oss-security () lists openwall com>
Date:  Sunday, October 18, 2015 at 3:21 PM
To:  Open Security <oss-security () lists openwall com>
Cc:  <cve-assign () mitre org>
Subject:  Re: [oss-security] CVE request for sqlalchemy-utils

I've been told I should check-in after a couple of weeks without a
response. Is there any more information I can provide to help you make a
decision?

> From the discussion on the bug tracker, this was a design decision, but
at least some users of the library weren't aware of it. As far as I know
it wasn't / isn't documented. I noticed the issue when reviewing the
code for Netflix's Lemur tool and they were not previously aware of the
issue: https://github.com/Netflix/lemur/issues/117
 
- Robert

On Tue, Oct 6, 2015, at 02:10 PM, robert () robert io wrote:
>  Description: I noticed that the sqlalchemy-utils package's EncryptedType
>  does not use a random IV when encrypting with AES in CBC mode. It
>  generates a SHA256 hash of the user's key and uses the first 16 bytes of
>  that hash as the IV (and the full hash as the encryption key). The
>  result is that for a given key, the IV will always be the same.
>  
>  Reported here: https://github.com/kvesteri/sqlalchemy-utils/issues/166
>  Version: Current. I'm not sure what the version history of this package
>  looks like, though.
>  Reporter: Robert Picard
>  
>  Please assign a CVE if you feel it would be appropriate for this bug.
>  
>  - Robert