Summary: | <net-misc/seafile-6.2.11: plaintext recovery via chosen-ciphertext attack (CVE-2013-7469) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | efremov, moschlar, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1679869 | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2019-02-22 07:39:53 UTC
After reading through the code thoroughly, I want to add the clarification, that the summary of the CVE is not really correct: Every encrypted library uses the same salt. (That will be fixed by upstream). For each encrypted library, PBKDF2 is used to generate the encryption key and IV from the user-supplied password for that library (and the salt). That concludes that two libraries only have the same IV, if users used the same password for them. @maintainer(s), please cleanup! |