Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <8538jrx8vx.fsf@boum.org>
Date: Mon, 10 Feb 2014 16:52:34 +0100
From: intrigeri <intrigeri@...m.org>
To: oss-security@...ts.openwall.com
Cc: Holger Levsen <holger@...er-acht.org>
Subject: CVE request: parcimonie (0.6 to 0.8, included) possible correlation between key fetches

Hi,

Holger Levsen <holger@...er-acht.org> discovered that parcimonie [1],
a privacy-friendly helper to refresh a GnuPG keyring, before version
0.8.1, is affected by a design problem that undermines the usefulness
of this piece of software, in the intended threat model. I am upstream
for parcimonie, and I maintain it in Debian.

Type of the vulnerability: information disclosure.

Description: when using parcimonie with a large keyring (1000 public
keys or more), it would always sleep exactly 10 minutes between two
key fetches. This is likely to be fingerprintable by an adversary who
can watch enough key fetches, who can then correlate multiple key
fetches with each other, which is the exact situation that parcimonie
aims at protecting against. It happens that such an adversary is part
of the threat model parcimonie is meant to cope with. This problem is
slightly mitigated by the fact that most users likely use a HKP(s)
pool as their configured GnuPG keyserver (so their successive requests
have good chances to be sent to different keyservers), and the fact
that each key fetch is done using a different Tor circuit.

Upstream bugfix: commit 8931fdcf868c37e2e8d44324d5514d235a6d5c89 in
git://gaffer.ptitcanardnoir.org/App-Parcimonie.git

Versions affected: from parcimonie 0.6 to 0.8, included. Fixed in
parcimonie 0.8.1.

This problem was made public in Debian bug #738134 [2], and was
described in details in the commit message for the upstream bugfix.

Could you please allocated a CVE id for this?

References:
[1] http://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
[2] https://bugs.debian.org/738134

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.