This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, please use the bodhi submission link noted in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the Bodhi notes field when available. Please note: this issue affects multiple supported versions of Fedora. Only one tracking bug has been filed; please ensure that it is only closed when all affected versions are fixed. [bug automatically created by: add-tracking-bugs]
Please use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. Please also ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1048168,1048169
Hello than, Could you please fix this soon?
The situation is that there are 2 issues mentioned in the security analysis: 1. insecure hashing of the wallet password, and 2. use of blockwise instead of chained-block Blowfish encryption. Neither of those is a matter of just applying a simple fix, fixing either requires changing the wallet format and migrating the existing wallets. What upstream has done is: * since 4.12 (i.e. since even before the security analysis), KWallet can use GPG instead of the custom encryption. However, wallets are not automatically migrated to GPG (I think for technical reasons). * in 4.13, upstream has made this change: https://projects.kde.org/projects/kde/kde-runtime/repository/revisions/c546c2517edc517eabdb8750e625964657152767 which should fix issue #1. (It bumps the wallet format and migrates existing wallets automatically.) I don't, however, see anything addressing issue #2. That said, I'm not sure that we need to urgently fix this, considering that "Unless Blowfish is broken, passwords in KWallet are safe" according to the security researcher. We ship kde-runtime >= 4.13 in Fedora 20, 21 and Rawhide. Fedora 19 is still stuck on 4.11.5. I'm not sure whether backporting the hashing change (issue #1) to Fedora 19 is a good idea or not. I am not aware of any fix for issue #2 being available from anywhere. (The algorithm fix is probably rather simple, but it needs another format revision bump, it's a shame that that wasn't fixed together with the hashing issue.)
Hello Kevin, Thanks so much for the details. I guess pushing updates to F19 now maybe futile; By the time they reach to -stable it is going to reach EOL. Since issue #1 is fixed in the current upstream kde-runtime-4.13 release; And a fix for the #2 issue, ie. change of Blowfish encryption is not expected anytime soon, we don't even know if upstream is considering it for real, it would be good to close this bug as CLOSED DEFERRED with due comments about it. Thank you.
ok, done.
*** Bug 1180503 has been marked as a duplicate of this bug. ***
Looks like upstream has patches for the second issue, see the duplicates.
Pulling in fixes today.
kde-runtime-4.14.3-3.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/kde-runtime-4.14.3-3.fc21
kde-runtime-4.14.3-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/kde-runtime-4.14.3-3.fc20
Package kde-runtime-4.14.3-3.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing kde-runtime-4.14.3-3.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-0569/kde-runtime-4.14.3-3.fc21 then log in and leave karma (feedback).
kde-runtime-4.14.3-3.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
kde-runtime-4.14.3-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.