Re: python-crypto / pycryptodome / CVE-2018-6594
Here is my attempt to fix this for wheezy, based on the upstream patch
which had to be applied manually. Only problem applying the patch was I
changed the function back to number.getRandomRange because
Integer.random_range is unavailable. Plus they both appear to do the
same thing anyway.
diff -Nru python-crypto-2.6/debian/changelog python-crypto-2.6/debian/changelog
--- python-crypto-2.6/debian/changelog 2017-01-10 08:14:05.000000000 +1100
+++ python-crypto-2.6/debian/changelog 2018-02-09 16:41:36.000000000 +1100
@@ -1,3 +1,11 @@
+python-crypto (2.6-4+deb7u8) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2018-6594: fix generating weak ElGamal key parameters, which allowed
+ attackers to obtain sensitive information by reading ciphertext data.
+
+ -- Brian May <bam@debian.org> Fri, 09 Feb 2018 16:41:36 +1100
+
python-crypto (2.6-4+deb7u7) wheezy-security; urgency=high
* Add a check for an actually working multiprocessing.Queue(), improving on
diff -Nru python-crypto-2.6/debian/patches/CVE-2018-6594.patch python-crypto-2.6/debian/patches/CVE-2018-6594.patch
--- python-crypto-2.6/debian/patches/CVE-2018-6594.patch 1970-01-01 10:00:00.000000000 +1000
+++ python-crypto-2.6/debian/patches/CVE-2018-6594.patch 2018-02-09 16:35:33.000000000 +1100
@@ -0,0 +1,46 @@
+--- a/lib/Crypto/PublicKey/ElGamal.py
++++ b/lib/Crypto/PublicKey/ElGamal.py
+@@ -158,28 +158,31 @@
+ if progress_func:
+ progress_func('g\n')
+ while 1:
++ # Choose a square residue; it will generate a cyclic group of order q.
++ obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)
++
+ # We must avoid g=2 because of Bleichenbacher's attack described
+ # in "Generating ElGamal signatures without knowning the secret key",
+ # 1996
+ #
+- obj.g = number.getRandomRange(3, obj.p, randfunc)
+- safe = 1
+- if pow(obj.g, 2, obj.p)==1:
+- safe=0
+- if safe and pow(obj.g, q, obj.p)==1:
+- safe=0
++ if obj.g in (1, 2):
++ continue
++
+ # Discard g if it divides p-1 because of the attack described
+ # in Note 11.67 (iii) in HAC
+- if safe and divmod(obj.p-1, obj.g)[1]==0:
+- safe=0
++ if (obj.p - 1) % obj.g == 0:
++ continue
++
+ # g^{-1} must not divide p-1 because of Khadir's attack
+ # described in "Conditions of the generator for forging ElGamal
+ # signature", 2011
+ ginv = number.inverse(obj.g, obj.p)
+- if safe and divmod(obj.p-1, ginv)[1]==0:
+- safe=0
+- if safe:
+- break
++ if (obj.p - 1) % ginv == 0:
++ continue
++
++ # Found
++ break
++
+ # Generate private key x
+ if progress_func:
+ progress_func('x\n')
diff -Nru python-crypto-2.6/debian/patches/series python-crypto-2.6/debian/patches/series
--- python-crypto-2.6/debian/patches/series 2017-01-10 08:10:55.000000000 +1100
+++ python-crypto-2.6/debian/patches/series 2018-02-09 16:19:53.000000000 +1100
@@ -8,3 +8,4 @@
CVE-2013-1445.patch
CVE-2013-7459.patch
check-for-working-multiprocessing-queue.patch
+CVE-2018-6594.patch
--
Brian May <bam@debian.org>
Reply to: