Re: about python-oauth2: CVE-2013-4347

To: debian-python@lists.debian.org
Subject: Re: about python-oauth2: CVE-2013-4347
From: Philippe Makowski <pmakowski@espelida.com>
Date: Fri, 18 Oct 2013 22:02:51 +0200
Message-id: <[🔎] 526193EB.3090201@espelida.com>
In-reply-to: <[🔎] 20131009064018.GA3329@jwilk.net>
References: <[🔎] 52547D33.7070600@espelida.com> <[🔎] CAKTje6FsYgkcQY56gRUKXwcBrKXBt2M5F9ApawU0c+d-JokGZQ@mail.gmail.com> <[🔎] 20131009064018.GA3329@jwilk.net>

Jakub Wilk  [2013-10-09 08:40] :
> Yeah, the oss-sec mail is about using a RNG that is not suitable for
> cryptographic purposes. This can be easily fixed by using
> "random.SystemRandom" (which uses /dev/urandom) instead of the "random"
> module directly (which has a Mersenne Twister under the hood).

yes like that I think

https://github.com/pmakowski/python-oauth2/commit/d7f5cb079c9517703778bac08c7ed5591ad4487d

but it let the other CVE-2013-4346 about _check_signature() ignoring the
nonce value when validating signed urls

any idea ?

Reply to:

Follow-Ups:
- Re: about python-oauth2: CVE-2013-4347
  - From: Philippe Makowski <pmakowski@espelida.com>

References:
- about python-oauth2: CVE-2013-4347
  - From: Philippe Makowski <pmakowski@espelida.com>
- Re: about python-oauth2: CVE-2013-4347
  - From: Paul Wise <pabs@debian.org>
- Re: about python-oauth2: CVE-2013-4347
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: Claiming ‘/usr/bin/coverage’ for a Python-specific programmer tool
Next by Date: Re: about python-oauth2: CVE-2013-4347
Previous by thread: Re: about python-oauth2: CVE-2013-4347
Next by thread: Re: about python-oauth2: CVE-2013-4347
Index(es):
- Date
- Thread