fedora 24
crypto weakness #281

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

grive2-ae06eccb38b2fe250c9ddeac3e3973f80b8a0aa9/libgrive/src/base/Resource.cc

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 crypto weakness.

 	m_json = &state;

	// root folder is always in sync
	if ( !IsRoot() )
	{
		fs::path path = Path() ;
		bool is_dir;
		os::Stat( path, &m_ctime, NULL, &is_dir ) ;

		m_name = path.filename().string() ;
		m_kind = is_dir ? "folder" : "file";

		bool is_changed;
		if ( state.Has( "ctime" ) && (u64_t) m_ctime.Sec() <= state["ctime"].U64() &&
			( is_dir || state.Has( "md5" ) ) )
		{
			if ( !is_dir )
				m_md5 = state["md5"];
			is_changed = false;
		}
		else
		{
			if ( !is_dir )
			{
				m_md5 = crypt::MD5::Get( path );
				// File is changed locally. TODO: Detect conflicts
				is_changed = !state.Has( "md5" ) || m_md5 != state["md5"].Str();
			}
			else
				is_changed = true;
		}
		if ( state.Has( "srv_time" ) )
			m_mtime.Assign( state[ "srv_time" ].U64(), 0 ) ;

		// Upload file if it is changed and remove if not.
		// State will be updated to sync/remote_changed in FromRemote()
		m_state = is_changed ? local_new : remote_deleted;
		if ( m_state == local_new )
		{
			// local_new means this file is changed in local.
			// this means we can't delete any of its parents.
			// make sure their state is also set to local_new.
			Resource *p = m_parent;
			while ( p && p->m_state == remote_deleted )
			{
				p->m_state = local_new;
				p = p->m_parent;
			}
		}
	} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.