Hi Carl Reading trough the code a bit:
On Sat, Dec 29, 2012 at 08:56:07AM +0100, Salvatore Bonaccorso wrote: > > http://www.openwall.com/lists/oss-security/2012/11/16/2 > > http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5577.html > > http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5578.html These seems to be introduced in upstream 0.9.1 by fixing: * CryptedFileKeyring now uses PBKDF2 to derive the key from the user's password and a random hash. The IV is chosen randomly as well. All the stored passwords are encrypted at once. Any keyrings using the old format will be automatically converted to the new format (but will no longer be compatible with 0.9 and earlier). The user's password is no longer limited to 32 characters. PyCrypto 2.5 or greater is now required for this keyring. which is [1,2]. If I see it correctly introduced with commit[3], changed at least to current form in [4]. [1]: http://bugs.debian.org/675379 (CVE-2012-4571) [2]: https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845 [3]: https://bitbucket.org/kang/python-keyring-lib/commits/576e21ab1e6dba1cfb13a1112841798679c21057 [4]: https://bitbucket.org/kang/python-keyring-lib/commits/7b324f00f28d28afb9be371f0f4088d385cc15f2 Does this looks correct? So if wheezy will get a fix for CVE-2012-4571, then it also needs the above fixes. Regards, Salvatore
signature.asc
Description: Digital signature
