Sebastian Ramacher
2012-May-31 18:01 UTC
[Secure-testing-team] Bug#675379: python-keyring: CryptedFileKeyring is insecure
Package: python-keyring Version: 0.7.1-1 Severity: important Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Due to recent changes in python-crypto it has been discovered that python-keyring''s CryptedFileKeyring uses AES/CFB in an insecure way. CFB requires an unpredictable IV, but CryptedFileKeyring doesn''t even pass one. In previous versions of python-crypto it was possible to omit the IV and it was set to ''\0'' * 16 in that case. Starting with 2.6 it is mandatory to specify an IV. Please see LP: #1004845 [1] for a detailed discussion of the issue. Kind regards [1] https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845 - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (650, ''unstable''), (601, ''testing''), (600, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-keyring depends on: ii python 2.7.2-10 ii python2.6 2.6.7-4 ii python2.7 2.7.3~rc2-2.1 Versions of packages python-keyring recommends: ii python-crypto 2.6-2 python-keyring suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJPx7HmAAoJEGny/FFupxmTFggQALhVKijeI3ClwADBkkeTtbA5 w08Fgkoqfnr90K7YIHf6UolISDwfUg5P1D1Bq9ablCef/EVe4mCSI/uRHQjL+96K q9Kmw1SThxlDfozc1n6Jn1TqpEgMwJ4eH4tCAiOQHVEqUmWetMe74hVBj563gfdO G68OAlrhl0tyl8JVM60Tj4bvcuoFvnUR9nZd+qE/G3lweWD9NL+HDuuocXXLEQNb piLkLMeEq/PqfG0f1qMWXeDJTzr6Zm05k2xAqHP7ejj62iKeOViV3Abri/Zecy/d qm2kUZRQkkYJP2ef7W3z9AnQVfu6CX7t2L74JOHEb20BlyQhT8aoGrSGZxKjHjHU 3kTfXGHuV0dbHXkPJ+IoG+qtYSBFVHlSQW/Rg7GOp4PxBVDXLw/zb64jJ9BG3ovq AvRiDRRQpheY+WODuA/XHgeuaiWXsOfkVtsJowbtLK4L8DefBGI2I3xFbsLMkRGc woWbyizPjPPpEmKiG9hpN0W0/8fpdhJoVrjw840DahP12SQmrccSGUf0Vq6cp4BW LsPRfsskHYuO6G3aYwxHpjuX58S53+Viq2QeWos4vqOgRzyuCihQ3Sfki8ubztR1 vTK5F8NdlfsBfXGsrx6c0gx5jwCdg2aBjkqpnFPl9x4ewRxIzApGrsj6FRKwt/KA xNuOBLsutj3z5FihNfbY =rFa+ -----END PGP SIGNATURE-----