[Secure-testing-team] Bug#675379: python-keyring: CryptedFileKeyring is insecure

Sebastian Ramacher s.ramacher at gmx.at
Thu May 31 18:01:10 UTC 2012 

Package: python-keyring
Version: 0.7.1-1
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Due to recent changes in python-crypto it has been discovered that
python-keyring's CryptedFileKeyring uses AES/CFB in an insecure way. CFB
requires an unpredictable IV, but CryptedFileKeyring doesn't even pass one.
In previous versions of python-crypto it was possible to omit the IV and it
was set to '\0' * 16 in that case. Starting with 2.6 it is mandatory to
specify an IV.

Please see LP: #1004845 [1] for a detailed discussion of the issue.

Kind regards

[1] https://bugs.launchpad.net/ubuntu/+source/python-keyring/+bug/1004845

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (650, 'unstable'), (601, 'testing'), (600, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages python-keyring depends on:
ii  python     2.7.2-10
ii  python2.6  2.6.7-4
ii  python2.7  2.7.3~rc2-2.1

Versions of packages python-keyring recommends:
ii  python-crypto  2.6-2

python-keyring suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPx7HmAAoJEGny/FFupxmTFggQALhVKijeI3ClwADBkkeTtbA5
w08Fgkoqfnr90K7YIHf6UolISDwfUg5P1D1Bq9ablCef/EVe4mCSI/uRHQjL+96K
q9Kmw1SThxlDfozc1n6Jn1TqpEgMwJ4eH4tCAiOQHVEqUmWetMe74hVBj563gfdO
G68OAlrhl0tyl8JVM60Tj4bvcuoFvnUR9nZd+qE/G3lweWD9NL+HDuuocXXLEQNb
piLkLMeEq/PqfG0f1qMWXeDJTzr6Zm05k2xAqHP7ejj62iKeOViV3Abri/Zecy/d
qm2kUZRQkkYJP2ef7W3z9AnQVfu6CX7t2L74JOHEb20BlyQhT8aoGrSGZxKjHjHU
3kTfXGHuV0dbHXkPJ+IoG+qtYSBFVHlSQW/Rg7GOp4PxBVDXLw/zb64jJ9BG3ovq
AvRiDRRQpheY+WODuA/XHgeuaiWXsOfkVtsJowbtLK4L8DefBGI2I3xFbsLMkRGc
woWbyizPjPPpEmKiG9hpN0W0/8fpdhJoVrjw840DahP12SQmrccSGUf0Vq6cp4BW
LsPRfsskHYuO6G3aYwxHpjuX58S53+Viq2QeWos4vqOgRzyuCihQ3Sfki8ubztR1
vTK5F8NdlfsBfXGsrx6c0gx5jwCdg2aBjkqpnFPl9x4ewRxIzApGrsj6FRKwt/KA
xNuOBLsutj3z5FihNfbY
=rFa+
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list