Bug 1412969 - CVE-2016-6225 Encryption IV Not Being Set Properly
Summary: CVE-2016-6225 Encryption IV Not Being Set Properly
Status: CLOSED DUPLICATE of bug 1413008
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: percona-xtrabackup
Version: epel7
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
Assignee: Pete MacKinnon
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-13 09:52 UTC by David Busby
Modified: 2017-01-16 11:40 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-01-13 12:07:43 UTC


Attachments (Terms of Use)

Description David Busby 2017-01-13 09:52:36 UTC
Description of problem:

xbcrypt in versions < 2.3.5 && < 2.4.5 does not handle the setting of the IV correctly resulting in the produced ciphertext being vulnerable to a chosen plaintext attack.

More here: https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/

Version-Release number of selected component (if applicable):

2.3.6 && 2.4.5

How reproducible:

PoC code may be available on request, and on NDA signing.

Additional info:

Code changes here:

https://github.com/percona/percona-xtrabackup/pull/266 https://github.com/percona/percona-xtrabackup/pull/267

Affected package is here: https://koji.fedoraproject.org/koji/packageinfo?packageID=20906

Comment 1 Andrej Nemec 2017-01-13 12:07:43 UTC
Hello David,

Thank you for the information. I have filed a security bug and added tracking bugs to it. Marking this as duplicate, if you need anything else please comment in the CVE bug.

*** This bug has been marked as a duplicate of bug 1413008 ***


Note You need to log in before you can comment on or make changes to this bug.