Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: Python keyring
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 31 Oct 2012 09:35:10 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/30/2012 01:27 PM, Raphael Geissert wrote:
On Friday 05 October 2012 15:21:57 Marc Deslauriers wrote:
Hello,

Python keyring before 0.9.1 was using the user-supplied password 
insecurely.

From the 0.9.1 changelog:

CryptedFileKeyring now uses PBKDF2 to derive the key from the
user's password and a random hash. The IV is chosen randomly as
well. All the stored passwords are encrypted at once. Any
keyrings using the old format will be automatically converted to
the new format (but will no longer be compatible with 0.9 and
earlier). The user's password is no longer limited to 32
characters. PyCrypto 2.5 or greater is now required for this
keyring.

See:

http://pypi.python.org/pypi/keyring#id2 
https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845


Could a CVE id be assigned please?

Thanks,

Please use CVE-2012-4571 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQkUUuAAoJEBYNRVNeJnmT31MP/Rtf0gogMeONxkrT/HV/TzdB
bdOtVsowwczBuRtGd1x1gH9x/IAtCLhjGUxD3ZOOE/7F5lUsD1C/RTqDzR2xNRhZ
XDaG3QKo0zBLMvwy1gVBFZbNNLaRqqWft8KniXWvATyXHHXmzfnLsuV9l/mzPVQS
n/8ARJs+p5SfNP6d0vyPTMlu04Juw7oo/VuMkSSSCnMQ79//rBS4zWlWC0itU5d0
BaEugmxaSxkM8Mk6hSM51zcieBShs/pnneJQfugnhowDwov7k/PqPXMjU/84bbLi
oT5LfZbqSFnhVLxHFocRScHu96rs1qKh/hjKbfPCaJNwpSp1IPHeHzhTNtincxIq
NHM7xQ/qa6A4yl5XZHX7jED9SX7Qrfe0KzaEkqr8zI9wIYwrVF1SgFO9GN/1V3yv
CkdC9EEh6s+etKHwnVlrzd9aFTM/A9u44vDvrD8tlAK3WEzsWrqN6SbGAd+8l4/l
Pr5Ys53WnT8ca7grxs9ezw5WRrqDcAQzGFfHs6ntJwF42/cIO4OO9l7WQPR5aTn1
LgOCsnHYm6tTnxI4Kg5YZ27wfDvr/62bRMZJt7O5r4PqttoML5EJr4T49vUiDg/J
93kHkQIJpwHgluNVxhv6kqd/zy3Pm5LSBrSt+5HW5sQsxqCqpO54IcuQV2cdssrZ
03A84K5389hgNQyU8aLK
=AOwV
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault