Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 417625 (CVE-2012-2417) - <dev-python/pycrypto-2.6 : ElGamal Key Generation Weakness (CVE-2012-2417)
Summary: <dev-python/pycrypto-2.6 : ElGamal Key Generation Weakness (CVE-2012-2417)
Status: RESOLVED FIXED
Alias: CVE-2012-2417
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/49263/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-05-26 12:07 UTC by Agostino Sarubbo
Modified: 2012-06-24 13:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-05-26 12:07:59 UTC
From secunia security advisory at $URL:

Description
A weakness has been reported in PyCrypto, which can be exploited by malicious people to conduct brute force attacks.

The weakness is caused due to an error when generating keys using the ElGamal scheme which may result in a reduced key space and can be exploited to derive the private key.

The weakness is reported in versions 2.5 and prior.


Solution
Update to version 2.6.
Comment 1 Dirkjan Ochtman gentoo-dev 2012-05-26 12:23:23 UTC
So, let's stabilize 2.6? Thanks to Maxim for bumping it.
Comment 2 Agostino Sarubbo gentoo-dev 2012-05-26 12:25:12 UTC
Thanks to maksbotan for fast bump.


Arches, please test and mark stable:
=dev-python/pycrypto-2.6
Target KEYWORDS : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-05-26 15:30:21 UTC
amd64 stable
Comment 4 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-05-26 19:42:47 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2012-05-27 14:19:20 UTC
Stable for HPPA.
Comment 6 Oleg Gawriloff 2012-05-29 08:02:03 UTC
pycrypto-2.6 is no longer available.

>>> Downloading 'http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz'
--2012-05-29 11:00:37--  http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz
Распознаётся ftp.dlitz.net... 75.119.251.37
Подключение к ftp.dlitz.net|75.119.251.37|:80... соединение установлено.
HTTP-запрос отправлен. Ожидание ответа... 403 Forbidden
2012-05-29 11:00:38 ОШИБКА 403: Forbidden.
Comment 7 Dirkjan Ochtman gentoo-dev 2012-05-29 08:17:52 UTC
http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.tar.gz works fine for me.
Comment 8 Markus Meier gentoo-dev 2012-05-30 19:12:15 UTC
arm stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-06-03 18:03:23 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-06-06 14:11:07 UTC
ppc64 done
Comment 11 Brent Baude (RETIRED) gentoo-dev 2012-06-08 18:10:57 UTC
ppc done
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 15:32:33 UTC
Thanks, folks. GLSA Vote: yes.
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2012-06-11 20:11:38 UTC
GLSA vote: yes.

Filing new glsa request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:27:17 UTC
CVE-2012-2417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2417):
  PyCrypto before 2.6 does not produce appropriate prime numbers when using an
  ElGamal scheme to generate a key, which reduces the signature space or
  public key space and makes it easier for attackers to conduct brute force
  attacks to obtain the private key.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 13:14:09 UTC
This issue was resolved and addressed in
 GLSA 201206-23 at http://security.gentoo.org/glsa/glsa-201206-23.xml
by GLSA coordinator Sean Amoss (ackle).