'Re: [oss-security] CVE Request: Python keyring'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Python keyring
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-10-31 15:35:10
Message-ID: 5091452E.8080306 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/30/2012 01:27 PM, Raphael Geissert wrote:
> On Friday 05 October 2012 15:21:57 Marc Deslauriers wrote:
>> Hello,
>> 
>> Python keyring before 0.9.1 was using the user-supplied password 
>> insecurely.
>> 
>> From the 0.9.1 changelog:
>> 
>> CryptedFileKeyring now uses PBKDF2 to derive the key from the
>> user's password and a random hash. The IV is chosen randomly as
>> well. All the stored passwords are encrypted at once. Any
>> keyrings using the old format will be automatically converted to
>> the new format (but will no longer be compatible with 0.9 and
>> earlier). The user's password is no longer limited to 32
>> characters. PyCrypto 2.5 or greater is now required for this
>> keyring.
>> 
>> See:
>> 
>> http://pypi.python.org/pypi/keyring#id2 
>> https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845
>
>> 
> Could a CVE id be assigned please?
> 
> Thanks,

Please use CVE-2012-4571 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQkUUuAAoJEBYNRVNeJnmT31MP/Rtf0gogMeONxkrT/HV/TzdB
bdOtVsowwczBuRtGd1x1gH9x/IAtCLhjGUxD3ZOOE/7F5lUsD1C/RTqDzR2xNRhZ
XDaG3QKo0zBLMvwy1gVBFZbNNLaRqqWft8KniXWvATyXHHXmzfnLsuV9l/mzPVQS
n/8ARJs+p5SfNP6d0vyPTMlu04Juw7oo/VuMkSSSCnMQ79//rBS4zWlWC0itU5d0
BaEugmxaSxkM8Mk6hSM51zcieBShs/pnneJQfugnhowDwov7k/PqPXMjU/84bbLi
oT5LfZbqSFnhVLxHFocRScHu96rs1qKh/hjKbfPCaJNwpSp1IPHeHzhTNtincxIq
NHM7xQ/qa6A4yl5XZHX7jED9SX7Qrfe0KzaEkqr8zI9wIYwrVF1SgFO9GN/1V3yv
CkdC9EEh6s+etKHwnVlrzd9aFTM/A9u44vDvrD8tlAK3WEzsWrqN6SbGAd+8l4/l
Pr5Ys53WnT8ca7grxs9ezw5WRrqDcAQzGFfHs6ntJwF42/cIO4OO9l7WQPR5aTn1
LgOCsnHYm6tTnxI4Kg5YZ27wfDvr/62bRMZJt7O5r4PqttoML5EJr4T49vUiDg/J
93kHkQIJpwHgluNVxhv6kqd/zy3Pm5LSBrSt+5HW5sQsxqCqpO54IcuQV2cdssrZ
03A84K5389hgNQyU8aLK
=AOwV
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic