Re: [SECURITY] [DLA 1283-1] python-crypto security update
My information, as communicated by Erik-Oliver Blass via private email
is that this issue was not fixed upstream.
I had assumed when upstream said "I will close this issue, since this
fix is in v3.4.10." in
it was meant that the problem wax fixed by the recent commit:
This is the patch I backported to wheezy-security.
However, this commit by itself is insufficient to solve the problem.
Erik-Oliver Blass has said that upstream solved the problem by disabling
some of the functions, e.g. by renaming "encrypt()" to
"_encrypt()". Which is hardly a guarantee that nobody will use this
Looking at the git history, I see the following commit, which adds new
functions which generate errors:
I don't see any sign of the original encrypt method however, not even if
I look at the first git commit:
Regardless, the python-crypto package in wheezy does have the encrypt
def encrypt(self, plaintext, K):
return pubkey.encrypt(self, plaintext, K)
Where pubkey.encrypt() appears just to call self._encrypt(plaintext, K)
after doing some type conversions.
Erik-Oliver Blass is unhappy that they didn't try to fix the problem,
which he says is easy to fix.
I don't think I can backport a change that breaks compatibility like
this to wheezy.
Any comments? Where should we go from here?
Brian May <firstname.lastname@example.org>