Bug 827178 - python-keyring: CryptedFileKeyring uses AES/CFB insecurely
python-keyring: CryptedFileKeyring uses AES/CFB insecurely
Status: CLOSED DUPLICATE of bug 872260
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120526,repor...
: Security
Depends On: 827180
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-31 16:20 EDT by Vincent Danen
Modified: 2013-02-15 11:51 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-15 11:51:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-05-31 16:20:26 EDT
It was found [1] that python-keyring's CryptedFileKeyring uses AES/CFB in an insecure manner.  CFB requires an unpredictable IV, but CryptedFileKeyring did not pass one, which meant that in python-crypto < 2.6, it was set to '\0' * 16 (entirely predictable value).  In python-crypto 2.6, it is mandatory to specify an IV.

On Fedora, when using python-crypto 2.6+, python-keyring will not work; with earlier versions it will continue to work, but use the predictable IV.

[1] https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845
Comment 1 Vincent Danen 2012-05-31 16:22:42 EDT
Created python-keyring tracking bugs for this issue

Affects: fedora-all [bug 827180]
Comment 2 Vincent Danen 2013-02-15 11:51:50 EST

*** This bug has been marked as a duplicate of bug 872260 ***

Note You need to log in before you can comment on or make changes to this bug.