kwalletd: Information disclosure — GLSA 201606-19

Kwalletd password stores are vulnerable to codebook attacks.

Affected Packages

kde-apps/kwalletd on all architectures
Affected versions < 4.14.3-r2
Unaffected versions >= 4.14.3-r2

Background

Kwalletd is is a credentials management application for KDE.

Description

Kwalletd in KWallet uses Blowfish with ECB mode instead of CBC mode when encrypting the password store.

Impact

Local attackers, with access to the password store, could conduct a codebook attack in order to obtain confidential passwords.

Workaround

There is no known workaround at this time.

Resolution

All kwalletd users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=kde-apps/kwalletd-4.14.3-r1"
 

References

Release Date
June 27, 2016

Latest Revision
June 27, 2016: 1

Severity
normal

Exploitable
local

Bugzilla entries