python-keyring CryptedFileKeyring is insecure (was: doesn't work with python-crypto 2.6-1 (ValueError: IV must be 16 bytes long))
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-keyring (Debian) |
Fix Released
|
Unknown
|
|||
python-keyring (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Oneiric |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
Traceback (most recent call last):
File "/usr/bin/
main()
File "/usr/bin/
Launchpad.
File "/usr/lib/
version=
File "/usr/lib/
credential_
File "/usr/lib/
authorizati
File "/usr/lib/
return self.do_
File "/usr/lib/
'launchpadlib', unique_key)
File "/usr/lib/
return _keyring_
File "/usr/lib/
password = self.decrypt(
File "/usr/lib/
crypter = self._init_
File "/usr/lib/
return AES.new(password, AES.MODE_CFB)
File "/usr/lib/
return AESCipher(key, *args, **kwargs)
File "/usr/lib/
blockalgo.
File "/usr/lib/
self._cipher = factory.new(key, *args, **kwargs)
ValueError: IV must be 16 bytes long
I got this backtrack when trying to use syncpackage in my up-to-date quantal chroot. I don't know if it's a bug in python-crypto or python-keyring as this error appeared after updating python-crypto to 2.6-1.
Workaround is to downgrade python-crypto to 2.5-2 for now.
CVE References
security vulnerability: | no → yes |
Changed in python-keyring (Debian): | |
status: | Unknown → New |
Changed in python-keyring (Debian): | |
status: | New → Confirmed |
Changed in python-keyring (Debian): | |
status: | Confirmed → Fix Released |
Changed in python-keyring (Ubuntu Oneiric): | |
status: | New → Confirmed |
Changed in python-keyring (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in python-keyring (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in python-keyring (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
ii python-crypto 2.6-1 cryptographic algorithms and protocols for Python
ii python-keyring 0.7.1-1fakesync1 store and access your passwords safely