Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 732662 - dev-python/pycryptodome: includes bundled libtomcrypt
Summary: dev-python/pycryptodome: includes bundled libtomcrypt
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security Audit Team
URL:
Whiteboard:
Keywords:
Depends on: 723844
Blocks: bundled-libs
  Show dependency tree
 
Reported: 2020-07-14 22:08 UTC by Sam James
Modified: 2020-12-22 10:10 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-14 22:08:53 UTC
The libtom* family need regular updates and historically have led to vulnerabilities in their bundlers.

RedHat had a bug on unbundling for pycrypto: https://bugzilla.redhat.com/show_bug.cgi?id=1087557.

Fedora have a patch: https://src.fedoraproject.org/rpms/python-pycryptodomex/blob/master/f/python-pycryptodomex-3.7.3-use_external_libtomcrypt.patch
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-07-15 10:21:54 UTC
I suppose this also implies packaging libtomcrypt.  I wonder if we really do need DES support in pycryptodome.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 02:31:11 UTC
(In reply to Michał Górny from comment #1)
> I suppose this also implies packaging libtomcrypt.  I wonder if we really do
> need DES support in pycryptodome.

Got it now ;)
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 08:57:30 UTC
Not going to be this easy:

error: Cannot load native module 'Crypto.Cipher._raw_des3': Trying '_raw_des3.pypy37-pp73-x86_64-linux-gnu.so': Cannot load library /tmp/portage/de
v-python/pycryptodome-3.9.9-r1/work/pycryptodome-3.9.9-pypy3/lib/Crypto/Util/../Cipher/_raw_des3.pypy37-pp73-x86_64-linux-gnu.so: /usr/lib64/libtom
crypt.so.1: undefined symbol: mp_rand.  Additionally, ctypes.util.find_library() did not manage to locate a library called '/tmp/portage/dev-python
/pycryptodome-3.9.9-r1/work/pycryptodome-3.9.9-pypy3/lib/Crypto/Util/../Cipher/_raw_des3.pypy37-pp73-x86_64-linux-gnu.so'

I think libtomcrypt is broken somehow but I'm not sure how.  Adding -lgmp is not sufficient to fix this.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-22 09:53:00 UTC
Actually, my bad.  Fixed linking in libtomcrypt wrong.
Comment 5 Larry the Git Cow gentoo-dev 2020-12-22 10:10:13 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba6d20d101e079eb1e997fcfb830b40b111b7217

commit ba6d20d101e079eb1e997fcfb830b40b111b7217
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-12-22 09:52:43 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-12-22 10:10:10 +0000

    dev-python/pycryptodome: Unbundle libtomcrypt
    
    Closes: https://bugs.gentoo.org/732662
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 .../pycryptodome-3.9.9-system-libtomcrypt.patch    | 43 +++++++++++++++++
 .../pycryptodome/pycryptodome-3.9.9-r1.ebuild      | 54 ++++++++++++++++++++++
 2 files changed, 97 insertions(+)