1412969 – CVE-2016-6225 Encryption IV Not Being Set Properly

Bug 1412969 - CVE-2016-6225 Encryption IV Not Being Set Properly

Summary: CVE-2016-6225 Encryption IV Not Being Set Properly

Keywords:
Status:	CLOSED DUPLICATE of bug 1413008
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	percona-xtrabackup
Sub Component:
Version:	epel7
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Pete MacKinnon
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-13 09:52 UTC by David Busby
Modified:	2017-01-16 11:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-13 12:07:43 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description David Busby 2017-01-13 09:52:36 UTC

Description of problem:

xbcrypt in versions < 2.3.5 && < 2.4.5 does not handle the setting of the IV correctly resulting in the produced ciphertext being vulnerable to a chosen plaintext attack.

More here: https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/

Version-Release number of selected component (if applicable):

2.3.6 && 2.4.5

How reproducible:

PoC code may be available on request, and on NDA signing.

Additional info:

Code changes here:

https://github.com/percona/percona-xtrabackup/pull/266 https://github.com/percona/percona-xtrabackup/pull/267

Affected package is here: https://koji.fedoraproject.org/koji/packageinfo?packageID=20906

Comment 1 Andrej Nemec 2017-01-13 12:07:43 UTC

Hello David,

Thank you for the information. I have filed a security bug and added tracking bugs to it. Marking this as duplicate, if you need anything else please comment in the CVE bug.

*** This bug has been marked as a duplicate of bug 1413008 ***

Note You need to log in before you can comment on or make changes to this bug.