kwalletd encrypts in ECB instead of CBC
Valentin Rusu
kde at rusu.info
Mon Jan 5 22:52:11 UTC 2015
On 05/01/15 01:51:31, Valentin Rusu wrote:
> On 28/12/14 22:58:12, David Faure wrote:
> > Hi Valentin,
> >
>
> Hello,
>
> > this report (to the security list) is two years old, but I'm not sure it was
> > ever sent to you?
> >
> > Can you check if this is still an issue?
>
> Well, this was still an issue and I now fixed it into my local
> KF5::KWallet repository. The code now correctly implements CBC
> encryption. I keep the legacy decrypt method and use it when reading the
> existing wallets. On next save I switch them to the new encryption
> method. The change is tracked on the kwl file header, so on next open
> it'll be decrypted using the new CBC routine.
>
> The test program under kwalletd/backend/tests was updated. I also added
> some tests for jenkins.
>
> Before pushing it, I'll first fix the KDE4 kde-runtime/kwalletd then
> push them at the same time. I think I should also blog about this, as
> this will change the user's kwallet files. Even if that'll be
> transparent, our users should be warned. Or perhaps should we
> communicate that by other means about this security update?
The fixes now hit the kde-runtime and the frameworks/kwallet
repositories.
A note will be posted on https://www.kde.org/info/security/ about this
issue.
>
> >
> > Cheers,
> > David.
>
> Cheers,
> Valentin
>
> >
> >
> > On Saturday 01 December 2012 12:19:18 Itay Duvdevani wrote:
> > > Hi,
> > >
> > > Looking at the sources in git master (and going back at least
> > > to 4.8.4), I found wallet files are encrypted in ECB mode instead of
> > > CBC.
> > >
More information about the Kde-utils-devel
mailing list