Home page logo

oss-sec logo oss-sec mailing list archives

Re: kwallet crypto misuse
From: cve-assign () mitre org
Date: Fri, 3 Jan 2014 20:40:18 -0500 (EST)

Hash: SHA1

ECB, which is bad at hiding patterns in data. For instance, if a
password is stored more than once, an attacker can determine that this
is likely to have been done, by noticing the corresponding pattern in
the output. As far as I can see, this is now CVE-2013-7252.

yep, agreed.

The short answer is that CVE-2013-7252 was assigned because of the
sentence "It is quite obvious that this is a programming error" in the
http://security.stackexchange.com/a/44010/32167 post. The motivation
for the CVE assignment isn't that the end result is ECB.

To try to make this slightly more general, we'll mention two scenarios
in which a vendor writes some code, and the code has a certain
characteristic for which the outcome is weaker security.

Scenario A:
Based on analysis of the code itself, one can reasonably conclude that
the vendor WAS NOT trying to have that characteristic.

Scenario B:
Based on analysis of subject-matter references, one can reasonably
conclude that the vendor SHOULD NOT HAVE BEEN trying to have that

We've written longer explanations here in the past, but: to a
first-order approximation, CVE assignment is MOSTLY about Scenario A.

Flippant example of Scenario B: the code calls ROT13 once.

Flippant example of Scenario A: because of a logic error, the code
calls ROT13 twice.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Version: GnuPG v1.4.14 (SunOS)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]