Re: python-crypto / pycryptodome / CVE-2018-6594

To: Brian May <brian@linuxpenguins.xyz>
Cc: debian-lts@lists.debian.org, security@debian.org
Subject: Re: python-crypto / pycryptodome / CVE-2018-6594
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 8 Feb 2018 07:00:06 +0100
Message-id: <[🔎] 20180208060006.dws7awfkunokjdyb@lorien.valinor.li>
Mail-followup-to: Brian May <brian@linuxpenguins.xyz>, debian-lts@lists.debian.org, security@debian.org
In-reply-to: <[🔎] 87h8qsv6nd.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 87h8qsv6nd.fsf@prune.linuxpenguins.xyz>

Hi Brian

On Thu, Feb 08, 2018 at 08:20:22AM +1100, Brian May wrote:
> Hello,
> 
> According to the upstream bug report:
> https://github.com/dlitz/pycrypto/issues/253
> 
> "This bug is prevalent. It exists in PyCryptodome and libgcrypt (if used
> directly to encrypt messages)."
> 
> Anyone know what the connection is between these python libraries and
> libgcrypt? Should libgcrypt be marked as vulnerable too?
> 
> I believe python-crypto / pycryptodome are native Python implementations
> that don't use gcrypt, while gcrypt is a native C library that doesn't
> use python-crypto / pycryptodome.

Just replying for the 'should libgcrypt be marked as vulnerable too'
part. At first glance I would say the CVE should not be reused for
libgcrypt, since it's different codebasis and if the issue is present
there a new CVE for libgcrypt would possibly be appropriate (unless
MITRE states otherwise).

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: python-crypto / pycryptodome / CVE-2018-6594
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- python-crypto / pycryptodome / CVE-2018-6594
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: Re: Bug#889285: bind9: CVE-2017-3139 affects debian too: assertion failure in validator.c:1858
Next by Date: Re: MySQL 5.5 EOL before Debian 8 LTS ends
Previous by thread: python-crypto / pycryptodome / CVE-2018-6594
Next by thread: Re: python-crypto / pycryptodome / CVE-2018-6594
Index(es):
- Date
- Thread