oss-sec mailing list archives
CVE Request: Openpgp.js Critical vulnerability in S2K
From: Gijs Hollestelle <g.hollestelle () gmail com>
Date: Tue, 13 Oct 2015 20:21:54 +0200
Hi, A vulnerability in the S2K function of OpenPGP.js allows to produce a predictable session key without knowing the passphrase. An attacker is able to create a private PGP key that will decrypt in OpenPGP.js regardless of the passphrase given. Also using this flaw it is possible to forge a symmetrically encrypted PGP message (Symmetric-Key Encrypted Session Key Packets (Tag 3)) that will decrypt with any passphrase in OpenPGP.js. This can be an attack vector if successful decryption of such a message is used as an authentication mechanism. The bug is fixed with a strict check on unknown S2K types. Info: https://www.mail-archive.com/list () openpgpjs org/msg00918.html Fixed by: https://github.com/openpgpjs/openpgpjs/commit/668a9bbe7033f3f475576209305eb57a54306d29 Fixen in: OpenPGP.js v1.3.0 Could a CVE please be assigned to this issue? Regards, Gijs
Current thread:
- CVE Request: Openpgp.js Critical vulnerability in S2K Gijs Hollestelle (Oct 13)
- Re: CVE Request: Openpgp.js Critical vulnerability in S2K cve-assign (Oct 30)