Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <51DDBBC6.1070401@redhat.com>
Date: Wed, 10 Jul 2013 13:53:42 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: security curmudgeon <jericho@...rition.org>
Subject: Re: Re: Re: Re: cryptocat/decryptocat - needs a cve?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/10/2013 11:36 AM, security curmudgeon wrote:
> 
> 
> In reference to Kurt's post: 
> http://seclists.org/oss-sec/2013/q3/66
> 
> I went through the CryptoCat changelog, as well as the audit report
> from 2012 and broke out all the issues as I saw them. They are all
> live on OSVDB, which may help on CVE assignments:
> 
> http://direct.osvdb.org/search?search%5Bvuln_title%5D=cryptocat&search%5Btext_type%5D=titles
>
> 
> 

You rock, thanks. Owe you a beer.

Please use (same titles as OSVDB):

CVE-2013-2257 Cryptocat Group Chat ECC Private Key Generation Brute
Force Weakness
CVE-2013-2258 Cryptocat Crafted Nickname User Impersonation Spoofing
CVE-2013-2259 Cryptocat on Firefox Conversation Overview Nickname
Arbitrary Code Execution
CVE-2013-2260 Cryptocat Cryptocat.random() Function Array Key Entropy
Weakness
CVE-2013-2261 Cryptocat for Chrome manifest.json img/keygen.gif
Software Detection Weakness
CVE-2013-2262 Cryptocat strophe.js XMPP Request ID Prediction OTR Chat
Activity Remote Disclosure
CVE-2013-4100 Cryptocat Crafted Username Chat Remote DoS
CVE-2013-4101 Cryptocat Link Markup Decorator addLinks() Function HTML
Handling Weakness
CVE-2013-4102 Cryptocat strophe.js Math.random() Function Random
Number Generator (RNG) Weakness
CVE-2013-4103 Cryptocat Crafted Data URI Remote Script Injection
CVE-2013-4104 Cryptocat OTR Socialist Millionnaire Protocol Key
Exchange Poisoning Weakness
CVE-2013-4105 Cryptocat Multiparty Encryption Scheme AES-CTR Nonce
Re-use Plaintext Traffic Disclosure
CVE-2013-4106 Cryptocat Conversation Overview Nickname XSS
CVE-2013-4107 Cryptocat cryptocat.js handlePresence() Function
Nickname Change XSS
CVE-2013-4108 Cryptocat Multiple Unspecified Minor Issues
CVE-2013-4109 Cryptocat Message Handling Unspecified XSS
CVE-2013-4110 Cryptocat Unspecified Chat Participant User List Disclosure


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJR3bvFAAoJEBYNRVNeJnmT1ksQAL/C09I0kmpMEB9J8kSF19x+
iQZYNmyK9Cslxl9pdG/HLeLGieFdhGMAJ9CgBMfW82Vil6VAU8AwGn+rG8RUZtdk
cdhh6bGBvj3uLjgz+sabBZdCRSsu/LL6Y5INcQIVkvO5iIBF/HKqMRGBlmGygjdp
fJfLQigoPFcZ1IfIABFv40mMZxr8v6ZMlqukmOVeTyjnDPjNgYzimCqe3kBQzBwE
YA90sISausX5a68Tk3mkRMtsRfEQY7CXG666c/FO2sH+61CbQb8PhfuJ33TRWFog
wDqaphzHgWbBoW11VSlmTcEjGsaL/oxCGrwSqFE4hdg1vWgmxpMNZq6LodVvxTh4
REZaPQtrlJiIJjxFOwHiYUIig+BShgw74iQ4SmTse5PqQ/Z76VQlutQzXqGKdZ/V
xrl7AJvrUiEOHpmfkeS1x9feF85IY+MmDSIqVmRYr/wvClzTOHgFRNiBH4+FHUA1
axl+sLM8dlu4dFJdkPgf/HssQ26LDcLA7AmQxh1Fkb7NdvwGiGQ8F6fBz0JbyTMN
VQ7R/cx2GDagsEaoMmYp3hTMKrJbBpN04OEr/YmE0XWlz3s9dPLswwLdDgI7JDgJ
IGa+hfJCz58KK2JY1ztV0SyD75gcxhPpMxoblQnqlsDnV5lLbNrBLquKze9iXgxc
YCpcKrjSVUT4q5OA5Rob
=s1DF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.