KMarshland
commented
8 years ago Just made a pull request to fix this.
I also verified that, although it didn't appear to be using null bytes, the IV was not being randomized at all between uses.
Open jfinkhaeuser opened 11 years ago
KMarshland
commented
8 years ago Just made a pull request to fix this.
I also verified that, although it didn't appear to be using null bytes, the IV was not being randomized at all between uses.
tarcieri
commented
7 years ago Hi. I'd just like to reiterate that this is an extremely serious issue. This gem should not be used until this is fixed, but given there's a PR that's been open for nearly 6 months that hasn't been touched, I have serious doubts that's ever going to happen.
It's also one of two extremely severe issues with this gem. Unless both are fixed this gem is unsafe and should not be used.
jfinkhaeuser
commented
7 years ago CVE requested and reported to https://rubysec.com/
ArtOfCode-
commented
7 years ago @tarcieri An organisation I work with has forked this with the intention of keeping it more actively maintained - we started using this gem before realising it was insecure, so we're going to try to fix the major issues in this so we can keep using it. I'd appreciate it if you could find the time to cast an eye over the fixes we've added, since you seem to know what you're talking about :)
jfinkhaeuser
commented
7 years ago jfinkhaeuser
commented
7 years ago And added to rubsec.com https://github.com/rubysec/ruby-advisory-db/commit/fda730f19cb3521b6cc71d95e084c494f8fa9375
See http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29
I can only assume that the ruby openssl wrapper uses null bytes for the IV in your use-case, which is not secure.