This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.
The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.
The highlighted line of code below is the trigger point of this particular Fedora 25 crypto weakness.
* This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Library General Public * License as published by the Free Software Foundation; either * version 2 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Library General Public License for more details. * * You should have received a copy of the GNU Library General Public License * along with this library; see the file COPYING.LIB. If not, write to * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, * Boston, MA 02110-1301, USA. */ #ifndef _INCLUDE_KSSLUTILS_H #define _INCLUDE_KSSLUTILS_H #include <kdelibs4support_export.h> #include <ksslconfig.h> #if KSSL_HAVE_SSL #define crypt _openssl_crypt #include <openssl/x509.h> #undef crypt #endif class QString; class QDateTime; #if KSSL_HAVE_SSL // This functionality is missing in OpenSSL /** * Convert an ASN1 UTCTIME value to a string. Uses KLocale settings. * * @param tm the OpenSSL ASN1_UTCTIME pointer * * @return the date formatted in a QString * @see ASN1_UTCTIME_QDateTime */ QString ASN1_UTCTIME_QString(ASN1_UTCTIME *tm); /** * Convert an ASN1 UTCTIME value to a QDateTime. Uses KLocale settings. * * @param tm the OpenSSL ASN1_UTCTIME pointer * @param isGmt set to 1 if the date is set to GMT * * @return the date formatted in a QDateTime */ QDateTime ASN1_UTCTIME_QDateTime(ASN1_UTCTIME *tm, int *isGmt);