Control: found -1 0.7.1-1 On 2012-12-29 09:42:08, Salvatore Bonaccorso wrote: > Hi Carl > > Reading trough the code a bit: > > On Sat, Dec 29, 2012 at 08:56:07AM +0100, Salvatore Bonaccorso wrote: > > > http://www.openwall.com/lists/oss-security/2012/11/16/2 > > > http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5577.html > > > http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5578.html > > These seems to be introduced in upstream 0.9.1 by fixing: > > * CryptedFileKeyring now uses PBKDF2 to derive the key from the user's > password and a random hash. The IV is chosen randomly as well. All the > stored passwords are encrypted at once. Any keyrings using the old format > will be automatically converted to the new format (but will no longer be > compatible with 0.9 and earlier). The user's password is no longer limited > to 32 characters. PyCrypto 2.5 or greater is now required for this keyring. > > which is [1,2]. If I see it correctly introduced with commit[3], > changed at least to current form in [4]. > > [1]: http://bugs.debian.org/675379 (CVE-2012-4571) > [2]: https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845 > [3]: > https://bitbucket.org/kang/python-keyring-lib/commits/576e21ab1e6dba1cfb13a1112841798679c21057 > > [4]: > https://bitbucket.org/kang/python-keyring-lib/commits/7b324f00f28d28afb9be371f0f4088d385cc15f2 > > Does this looks correct? > > So if wheezy will get a fix for CVE-2012-4571, then it also needs the > above fixes.
0.7.x creates the keyring word-readable too. Running /usr/share/doc/python-keyring/examples/demo.py from 0.7.1-1 gives a ~/crypted_pass.cfg with mode 0644. So this should be fixed in wheezy anyway [1]. Marking 0.7.1-1 as affected. Regards [1] I'm currently preparing a fix for CVE-2012-4571 in wheezy. I'll backport the fix for this issue too. -- Sebastian Ramacher
signature.asc
Description: Digital signature