[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: python-crypto / pycryptodome / CVE-2018-6594

Hi Brian

On Thu, Feb 08, 2018 at 08:20:22AM +1100, Brian May wrote:
> Hello,
> According to the upstream bug report:
> https://github.com/dlitz/pycrypto/issues/253
> "This bug is prevalent. It exists in PyCryptodome and libgcrypt (if used
> directly to encrypt messages)."
> Anyone know what the connection is between these python libraries and
> libgcrypt? Should libgcrypt be marked as vulnerable too?
> I believe python-crypto / pycryptodome are native Python implementations
> that don't use gcrypt, while gcrypt is a native C library that doesn't
> use python-crypto / pycryptodome.

Just replying for the 'should libgcrypt be marked as vulnerable too'
part. At first glance I would say the CVE should not be reused for
libgcrypt, since it's different codebasis and if the issue is present
there a new CVE for libgcrypt would possibly be appropriate (unless
MITRE states otherwise).


Reply to: