Hi there, we've been in touch with the upstream developers and I want to add the following to the discussion:
After reading through the code thoroughly, I want to add the clarification, that the summary of the CVE is not really correct: Every encrypted library uses the same salt. (That will be fixed by upstream). For each encrypted library, PBKDF2 is used to generate the encryption key and IV from the user-supplied password for that library (and the salt). That concludes that two libraries only have the same IV, if users used the same password for them. I'll try to update the CVE description for more clarity and for an update on the NVD classification. Best regards, -- Moritz Schlarb Unix-Gruppe | Systembetreuung Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz Raum 01-331 - Tel. +49 6131 39-29441 OpenPGP Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF
<<attachment: schlarbm.vcf>>
signature.asc
Description: OpenPGP digital signature
