Re: python-crypto / pycryptodome / CVE-2018-6594
Hi Brian
On Thu, Feb 08, 2018 at 08:20:22AM +1100, Brian May wrote:
> Hello,
>
> According to the upstream bug report:
> https://github.com/dlitz/pycrypto/issues/253
>
> "This bug is prevalent. It exists in PyCryptodome and libgcrypt (if used
> directly to encrypt messages)."
>
> Anyone know what the connection is between these python libraries and
> libgcrypt? Should libgcrypt be marked as vulnerable too?
>
> I believe python-crypto / pycryptodome are native Python implementations
> that don't use gcrypt, while gcrypt is a native C library that doesn't
> use python-crypto / pycryptodome.
Just replying for the 'should libgcrypt be marked as vulnerable too'
part. At first glance I would say the CVE should not be reused for
libgcrypt, since it's different codebasis and if the issue is present
there a new CVE for libgcrypt would possibly be appropriate (unless
MITRE states otherwise).
Regards,
Salvatore
Reply to: