Re: [SECURITY] [DLA 1283-1] python-crypto security update

To: Ola Lundqvist <ola@inguza.com>
Cc: Ola Lundqvist <ola@inguza.com>, Antoine Beaupré <anarcat@orangeseeds.org>, Debian LTS <debian-lts@lists.debian.org>, security@debian.org
Subject: Re: [SECURITY] [DLA 1283-1] python-crypto security update
From: Brian May <bam@debian.org>
Date: Tue, 03 Apr 2018 08:02:30 +1000
Message-id: <[🔎] 87tvste07d.fsf@silverfish.pri>
In-reply-to: <[🔎] CABY6=0kHbuLUcwa2ffkTtG0cn6t0cNm334dh3PL0K1imsBoaiQ@mail.gmail.com>
References: <20180215073648.sfqwvisvthsxswta@prune.linuxpenguins.xyz> <87lgfod5qw.fsf@prune.linuxpenguins.xyz> <87tvt2vq88.fsf@curie.anarc.at> <87po3qfu7g.fsf@silverfish.pri> <87r2o24qxa.fsf@curie.anarc.at> <CABY6=0keTefH4_964oC84z18GCRXOkfc6swbvMv07aJgmGd3tg@mail.gmail.com> <[🔎] 87zi2mdnku.fsf@silverfish.pri> <[🔎] CABY6=0kHbuLUcwa2ffkTtG0cn6t0cNm334dh3PL0K1imsBoaiQ@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> Do we have a fix that solve the problem? If we do we can simply upload a
> new version with the fix and describe it accordingly.
> If it is fixed in some cases it may be considered fixed.
>
> I have not checked the details about this specific problem.

There are no known fixes.

Upstream argues that a fix is unnecessarily, because the key
vulnerability is only a problem when using the encryption, which is not
"is not meant to be used by itself". Furthermore they say fixing this
will break "backward compatibility with PGP".

For full details, read the upstream bug report:
https://github.com/Legrandin/pycryptodome/issues/90

Or, put another way, upstream renamed the "encrypt" function to
"_encrypt" a while back to indicate this should not be used. I think it
really depends on your point of view if this is sufficient to fix a
security vulnerability in key creation (another function) when used
directly with encryption.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 1283-1] python-crypto security update
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: [SECURITY] [DLA 1283-1] python-crypto security update
  - From: Brian May <bam@debian.org>
- Re: [SECURITY] [DLA 1283-1] python-crypto security update
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: CVE-2018-1000074: rubygems, jruby & ruby1.9.11
Next by Date: LTS Report for March 2018
Previous by thread: Re: [SECURITY] [DLA 1283-1] python-crypto security update
Next by thread: Re: [SECURITY] [DLA 1283-1] python-crypto security update
Index(es):
- Date
- Thread