Re: python-crypto / pycryptodome / CVE-2018-6594
Hi Brian,
On Thu, Feb 08, 2018 at 07:00:06AM +0100, Salvatore Bonaccorso wrote:
> Hi Brian
>
> On Thu, Feb 08, 2018 at 08:20:22AM +1100, Brian May wrote:
> > Hello,
> >
> > According to the upstream bug report:
> > https://github.com/dlitz/pycrypto/issues/253
> >
> > "This bug is prevalent. It exists in PyCryptodome and libgcrypt (if used
> > directly to encrypt messages)."
> >
> > Anyone know what the connection is between these python libraries and
> > libgcrypt? Should libgcrypt be marked as vulnerable too?
> >
> > I believe python-crypto / pycryptodome are native Python implementations
> > that don't use gcrypt, while gcrypt is a native C library that doesn't
> > use python-crypto / pycryptodome.
>
> Just replying for the 'should libgcrypt be marked as vulnerable too'
> part. At first glance I would say the CVE should not be reused for
> libgcrypt, since it's different codebasis and if the issue is present
> there a new CVE for libgcrypt would possibly be appropriate (unless
> MITRE states otherwise).
Turns out this was right, the CVE for the libgcrypt implementation is
CVE-2018-6829.
Regards,
Salvatore
Reply to: