[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: kwallet crypto misuse
From: Michael Samuel <mik () miknet ! net>
Date: 2014-01-02 23:32:09
Message-ID: CACYkhxgwi6MQkzr85mwa0MmzKdxRr-N=Fif3YSteVk2VZU7RcA () mail ! gmail ! com
[Download RAW message or body]
>
> > KWallet uses QDataStream, which encodes QString objects (used in
> > KWallet maps) as UTF-16. So, the string "abcd" will be stored as
> > "\0a\0b\0c\0d", which gives four bytes of information per block.
>
> Does anyone know whether the KWallet user interface could make it
> possible to enter passwords containing 16-bit characters (i.e.,
> characters that cannot be represented using 8 bits)? If that would not
> be possible, then this issue could potentially qualify for an
> additional CVE assignment.
>
I don't think another CVE is warranted - this just amplifies the original
vulnerability.
Implementing a cryptographic store (eg. a cryptographic file protocol) is
non-trivial and the KDE developers might wish to seek help with this -
perhaps a wiki page?
Regards,
Michael
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic