search

jderuiter / javacard-openpgpcard

Java Card implementation of the OpenPGP smart card
GNU General Public License v2.0
61 stars 18 forks source link

YSA-2015-1 and CVE-2015-3298 #1

Closed hexum closed 7 years ago

hexum commented 7 years ago

It seems code still contain vulnerability revealed by Yubico. https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html

jderuiter commented 7 years ago

Could you give more details on why you think this issue is still present? The offending lines now read:

if (!(pw1.isValidated() && pw1_modes[PW1_MODE_NO82]))

Note the additional brackets around the condition. My fix is slightly different to the solution presented on Yubico's site, but equivalent.

hexum commented 7 years ago

I was looking for exclamation mark before pw1_modes. Now I see you used more efficient solution with De Morgan's law.