[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: kwallet crypto misuse
From:       Michael Samuel <mik () miknet ! net>
Date:       2014-01-02 23:32:09
Message-ID: CACYkhxgwi6MQkzr85mwa0MmzKdxRr-N=Fif3YSteVk2VZU7RcA () mail ! gmail ! com
[Download RAW message or body]


>
> > KWallet uses QDataStream, which encodes QString objects (used in
> > KWallet maps) as UTF-16. So, the string "abcd" will be stored as
> > "\0a\0b\0c\0d", which gives four bytes of information per block.
>
> Does anyone know whether the KWallet user interface could make it
> possible to enter passwords containing 16-bit characters (i.e.,
> characters that cannot be represented using 8 bits)? If that would not
> be possible, then this issue could potentially qualify for an
> additional CVE assignment.
>

I don't think another CVE is warranted - this just amplifies the original
vulnerability.

Implementing a cryptographic store (eg. a cryptographic file protocol) is
non-trivial and the KDE developers might wish to seek help with this -
perhaps a wiki page?

Regards,
  Michael


[prev in list] [next in list] [prev in thread] [next in thread]