Debian Bug report logs -
#923009
seafile: CVE-2013-7469
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Seafile Team <team+seafile@tracker.debian.org>:
Bug#923009; Package src:seafile.
(Fri, 22 Feb 2019 22:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Seafile Team <team+seafile@tracker.debian.org>.
(Fri, 22 Feb 2019 22:48:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: seafile
Version: 6.2.11-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/haiwen/seafile/issues/350
Hi,
The following vulnerability was published for seafile.
CVE-2013-7469[0]:
| Seafile through 6.2.11 always uses the same Initialization Vector (IV)
| with Cipher Block Chaining (CBC) Mode to encrypt private data, making
| it easier to conduct chosen-plaintext attacks or dictionary attacks.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2013-7469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7469
[1] https://github.com/haiwen/seafile/issues/350
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Seafile Team <team+seafile@tracker.debian.org>:
Bug#923009; Package src:seafile.
(Tue, 05 Mar 2019 11:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Martin <martin@uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to Debian Seafile Team <team+seafile@tracker.debian.org>.
(Tue, 05 Mar 2019 11:21:03 GMT) (full text, mbox, link).
Message #10 received at 923009@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 buster-ignore
Am 22.02.19 um 23:46 schrieb Salvatore Bonaccorso:
> Source: seafile
> Version: 6.2.11-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://github.com/haiwen/seafile/issues/350
>
> Hi,
>
> The following vulnerability was published for seafile.
>
> CVE-2013-7469[0]:
> | Seafile through 6.2.11 always uses the same Initialization Vector (IV)
> | with Cipher Block Chaining (CBC) Mode to encrypt private data, making
> | it easier to conduct chosen-plaintext attacks or dictionary attacks.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2013-7469
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7469
> [1] https://github.com/haiwen/seafile/issues/350
This bug report is pretty late in the release cycle. Also the CVE is
unspecific about the impact of the problem.
As far as I see the problem is only with libraries where the user
enabled encryption for.
Since the transport of the files is secured via a normal webserver with
TLS etc. you encrypted library can only be tried to access locally on
the client or the server.
The cryptographic weekness should at least be documented with the hint
to additionaly use an gpg or zip encrypted file in the library if the
files data is really sensible.
So, I don't consider this bug as a release critical bug for buster. It
can not be fixed the short time which is left for the release.
Christoph
--
============================================================================
Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
Anselm Franz von Bentzel-Weg 12, 55128 Mainz
Telefon: +49(6131)3926337
Instant-Messaging: Jabber/XMPP: martin@jabber.uni-mainz.de
[signature.asc (application/pgp-signature, attachment)]
Added tag(s) buster-ignore.
Request was from Christoph Martin <martin@uni-mainz.de>
to 923009-submit@bugs.debian.org.
(Tue, 05 Mar 2019 11:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Seafile Team <team+seafile@tracker.debian.org>:
Bug#923009; Package src:seafile.
(Wed, 06 Mar 2019 22:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Seafile Team <team+seafile@tracker.debian.org>.
(Wed, 06 Mar 2019 22:18:03 GMT) (full text, mbox, link).
Message #17 received at 923009@bugs.debian.org (full text, mbox, reply):
Hi Christoph,
On Tue, Mar 05, 2019 at 12:12:31PM +0100, Christoph Martin wrote:
> Control: tags -1 buster-ignore
>
> Am 22.02.19 um 23:46 schrieb Salvatore Bonaccorso:
> > Source: seafile
> > Version: 6.2.11-1
> > Severity: grave
> > Tags: security upstream
> > Forwarded: https://github.com/haiwen/seafile/issues/350
> >
> > Hi,
> >
> > The following vulnerability was published for seafile.
> >
> > CVE-2013-7469[0]:
> > | Seafile through 6.2.11 always uses the same Initialization Vector (IV)
> > | with Cipher Block Chaining (CBC) Mode to encrypt private data, making
> > | it easier to conduct chosen-plaintext attacks or dictionary attacks.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2013-7469
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7469
> > [1] https://github.com/haiwen/seafile/issues/350
>
> This bug report is pretty late in the release cycle. Also the CVE is
> unspecific about the impact of the problem.
>
> As far as I see the problem is only with libraries where the user
> enabled encryption for.
>
> Since the transport of the files is secured via a normal webserver with
> TLS etc. you encrypted library can only be tried to access locally on
> the client or the server.
>
> The cryptographic weekness should at least be documented with the hint
> to additionaly use an gpg or zip encrypted file in the library if the
> files data is really sensible.
>
> So, I don't consider this bug as a release critical bug for buster. It
> can not be fixed the short time which is left for the release.
Yes I think we can agree on that!
Regards,
Salvatore
Quick note on the buster-ignore tag addition, keep in mind that this
is technically only to be used/added by release managers themself, but
maintainers can obviously suggest that to the release managers, cf.
https://www.debian.org/Bugs/Developer#tags
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Seafile Team <team+seafile@tracker.debian.org>:
Bug#923009; Package src:seafile.
(Thu, 07 Mar 2019 09:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Christoph Martin <martin@uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to Debian Seafile Team <team+seafile@tracker.debian.org>.
(Thu, 07 Mar 2019 09:21:04 GMT) (full text, mbox, link).
Message #22 received at 923009@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
Am 06.03.19 um 23:15 schrieb Salvatore Bonaccorso:
> Hi Christoph,
>
> On Tue, Mar 05, 2019 at 12:12:31PM +0100, Christoph Martin wrote:
>
> Yes I think we can agree on that!
>
So, I'd like to lower the severity to important,
> Quick note on the buster-ignore tag addition, keep in mind that this
> is technically only to be used/added by release managers themself, but
> maintainers can obviously suggest that to the release managers, cf.
> https://www.debian.org/Bugs/Developer#tags
Sorry for that. Is it ok to leave the tag or is a severity change to
important better? The autoremove flag is still active.
Christoph
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Seafile Team <team+seafile@tracker.debian.org>:
Bug#923009; Package src:seafile.
(Thu, 07 Mar 2019 12:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Seafile Team <team+seafile@tracker.debian.org>.
(Thu, 07 Mar 2019 12:39:06 GMT) (full text, mbox, link).
Message #27 received at 923009@bugs.debian.org (full text, mbox, reply):
Control: severity -1 important
Control: tags -1 - buster-ignore
Hi Christoph,
On Thu, Mar 07, 2019 at 10:16:46AM +0100, Christoph Martin wrote:
> Hi Salvatore,
>
> Am 06.03.19 um 23:15 schrieb Salvatore Bonaccorso:
> > Hi Christoph,
> >
> > On Tue, Mar 05, 2019 at 12:12:31PM +0100, Christoph Martin wrote:
> >
> > Yes I think we can agree on that!
> >
>
> So, I'd like to lower the severity to important,
>
> > Quick note on the buster-ignore tag addition, keep in mind that this
> > is technically only to be used/added by release managers themself, but
> > maintainers can obviously suggest that to the release managers, cf.
> > https://www.debian.org/Bugs/Developer#tags
>
> Sorry for that. Is it ok to leave the tag or is a severity change to
> important better? The autoremove flag is still active.
Yes that sounds good and just doing so now, and as well removing the
tag buster-ignore as raised by Ivo on IRC.
Btw, the autoremove flag should have disaperared otherwise next.
Regards,
Salvatore
Severity set to 'important' from 'grave'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 923009-submit@bugs.debian.org.
(Thu, 07 Mar 2019 12:39:06 GMT) (full text, mbox, link).
Removed tag(s) buster-ignore.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 923009-submit@bugs.debian.org.
(Thu, 07 Mar 2019 12:39:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Seafile Team <team+seafile@tracker.debian.org>:
Bug#923009; Package src:seafile.
(Fri, 08 Mar 2019 10:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Schlarb <schlarbm@uni-mainz.de>:
Extra info received and forwarded to list. Copy sent to Debian Seafile Team <team+seafile@tracker.debian.org>.
(Fri, 08 Mar 2019 10:12:06 GMT) (full text, mbox, link).
Message #36 received at 923009@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi there,
we've been in touch with the upstream developers and I want to add the
following to the discussion:
After reading through the code thoroughly, I want to add the
clarification, that the summary of the CVE is not really correct:
Every encrypted library uses the same salt. (That will be fixed by
upstream).
For each encrypted library, PBKDF2 is used to generate the encryption
key and IV from the user-supplied password for that library (and the salt).
That concludes that two libraries only have the same IV, if users used
the same password for them.
I'll try to update the CVE description for more clarity and for an
update on the NVD classification.
Best regards,
--
Moritz Schlarb
Unix-Gruppe | Systembetreuung
Zentrum für Datenverarbeitung
Johannes Gutenberg-Universität Mainz
Raum 01-331 - Tel. +49 6131 39-29441
OpenPGP Fingerprint: DF01 2247 BFC6
5501 AFF2 8445 0C24 B841 C7DD BAAF
[schlarbm.vcf (text/x-vcard, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:37:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon