[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: python-crypto / pycryptodome / CVE-2018-6594



Here is my attempt to fix this for wheezy, based on the upstream patch
which had to be applied manually. Only problem applying the patch was I
changed the function back to number.getRandomRange because
Integer.random_range is unavailable. Plus they both appear to do the
same thing anyway.


diff -Nru python-crypto-2.6/debian/changelog python-crypto-2.6/debian/changelog
--- python-crypto-2.6/debian/changelog	2017-01-10 08:14:05.000000000 +1100
+++ python-crypto-2.6/debian/changelog	2018-02-09 16:41:36.000000000 +1100
@@ -1,3 +1,11 @@
+python-crypto (2.6-4+deb7u8) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2018-6594: fix generating weak ElGamal key parameters, which allowed
+    attackers to obtain sensitive information by reading ciphertext data.
+
+ -- Brian May <bam@debian.org>  Fri, 09 Feb 2018 16:41:36 +1100
+
 python-crypto (2.6-4+deb7u7) wheezy-security; urgency=high
 
   * Add a check for an actually working multiprocessing.Queue(), improving on
diff -Nru python-crypto-2.6/debian/patches/CVE-2018-6594.patch python-crypto-2.6/debian/patches/CVE-2018-6594.patch
--- python-crypto-2.6/debian/patches/CVE-2018-6594.patch	1970-01-01 10:00:00.000000000 +1000
+++ python-crypto-2.6/debian/patches/CVE-2018-6594.patch	2018-02-09 16:35:33.000000000 +1100
@@ -0,0 +1,46 @@
+--- a/lib/Crypto/PublicKey/ElGamal.py
++++ b/lib/Crypto/PublicKey/ElGamal.py
+@@ -158,28 +158,31 @@
+     if progress_func:
+         progress_func('g\n')
+     while 1:
++        # Choose a square residue; it will generate a cyclic group of order q.
++        obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)
++
+         # We must avoid g=2 because of Bleichenbacher's attack described
+         # in "Generating ElGamal signatures without knowning the secret key",
+         # 1996
+         #
+-        obj.g = number.getRandomRange(3, obj.p, randfunc)
+-        safe = 1
+-        if pow(obj.g, 2, obj.p)==1:
+-            safe=0
+-        if safe and pow(obj.g, q, obj.p)==1:
+-            safe=0
++        if obj.g in (1, 2):
++            continue
++
+         # Discard g if it divides p-1 because of the attack described
+         # in Note 11.67 (iii) in HAC
+-        if safe and divmod(obj.p-1, obj.g)[1]==0:
+-            safe=0
++        if (obj.p - 1) % obj.g == 0:
++            continue
++
+         # g^{-1} must not divide p-1 because of Khadir's attack
+         # described in "Conditions of the generator for forging ElGamal
+         # signature", 2011
+         ginv = number.inverse(obj.g, obj.p)
+-        if safe and divmod(obj.p-1, ginv)[1]==0:
+-            safe=0
+-        if safe:
+-            break
++        if (obj.p - 1) % ginv == 0:
++            continue
++
++        # Found
++        break
++
+     # Generate private key x
+     if progress_func:
+         progress_func('x\n')
diff -Nru python-crypto-2.6/debian/patches/series python-crypto-2.6/debian/patches/series
--- python-crypto-2.6/debian/patches/series	2017-01-10 08:10:55.000000000 +1100
+++ python-crypto-2.6/debian/patches/series	2018-02-09 16:19:53.000000000 +1100
@@ -8,3 +8,4 @@
 CVE-2013-1445.patch
 CVE-2013-7459.patch
 check-for-working-multiprocessing-queue.patch
+CVE-2018-6594.patch

-- 
Brian May <bam@debian.org>


Reply to: