Bug 266139

Summary: Kwallet can be accessed with two different passwords
Product: [Applications] kwalletmanager Reporter: Georg <bugzilla>
Component: generalAssignee: Valentin Rusu <valir>
Status: RESOLVED FIXED    
Severity: major CC: korossy, samuel.brack, valir
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: openSUSE   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Georg 2011-02-12 15:26:21 UTC 
Version:           unspecified (using KDE 4.4.4) 
OS:                Linux

If a Kwallet is encrypted with a password of 32 characters which is build by repetition of a 16 characters string. Then it's possible to open the wallet with the half password.



Reproducible: Always

Steps to Reproduce:
Create a wallet with a password of 32 characters e.g. "12345678901234561234567890123456" build by repetition of a 16 characters string. 

Actual Results:  
You can open the wallet with the first 16 characters as well. In this example with "1234567890123456".


Expected Results:  
Kwallet should be accessed by only one unique password.

none
Comment 1 Samuel Brack 2011-02-13 21:47:51 UTC 
I can confirm this using KWallet 1.7 in KDE 4.6, changing severity to major. Seems to be a security issue.
Comment 2 Justin Zobel 2021-03-10 00:32:33 UTC 
Thank you for the bug report.

As this report hasn't seen any changes in 5 years or more, we ask if you can please confirm that the issue still persists.

If this bug is no longer persisting or relevant please change the status to resolved.
Comment 3 Georg 2021-03-18 21:43:35 UTC 
The problem disappeared