Found broken a feature for fingerprint image obfuscation

Bug #1819406 reported by Seong-Joong Kim on 2019-03-11
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libfprint (Ubuntu)

Bug Description

Dear all,

In this package, a random seed is used for generation key for obfuscating a fingerprint image in uru4000 driver.
Unfortunately, it seems that the seed always exhibits the same sequence of numbers each time since it is generated from rand() in libc by default.
Then I reported this issue to the upstream with the patch.

However, the maintainer insists that the obfuscation-feature can be broken since the key for encryption is composed of just 4-bytes length.
Thus, there is no need to patch about random seed anyway.
It's pretty weird to say that.

Would it be all right if I leave this as it is?

Many thanks!!

CVE References

Sebastien Bacher (seb128) wrote :

Thank you for your bug report, do you have any pointer to the discuss with the upstream maintainer?

Sebastien Bacher (seb128) wrote :
Changed in libfprint (Ubuntu):
importance: Undecided → High
status: New → Triaged
Sebastien Bacher (seb128) wrote :

sorry, commented on the wrong bug

no longer affects: libfprint
Changed in libfprint (Ubuntu):
status: Triaged → New
Seong-Joong Kim (sungjungk) wrote :

What do you think of this issue?

Seong-Joong Kim (sungjungk) wrote :

It seems that the uru4000 driver is affected by a weak? or broken? obfuscation feature, allowing MITM attackers to discover user's precious fingerprint images.

information type: Public → Public Security
Seong-Joong Kim (sungjungk) wrote :

Please check the following PoC.

Changed in libfprint (Ubuntu):
status: New → Confirmed
importance: High → Low
importance: Low → High
importance: High → Low
Changed in libfprint:
status: Unknown → New
Seong-Joong Kim (sungjungk) wrote :

CVE-2019-13604 and CVE-2019-13621 have been assigned.
Please check the following PoC:

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.