Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 703682 (CVE-2018-6594) - dev-python/pycrypto: Weak ElGamal key parameters (CVE-2018-6594)
Summary: dev-python/pycrypto: Weak ElGamal key parameters (CVE-2018-6594)
Status: RESOLVED FIXED
Alias: CVE-2018-6594
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Deadline: 2020-05-18
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ masked cve]
Keywords: PMASKED
Depends on: pycryptodome-tracker
Blocks:
  Show dependency tree
 
Reported: 2019-12-24 22:06 UTC by Sebastian Pipping
Modified: 2020-07-31 17:14 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2019-12-24 22:06:28 UTC
Hi!

Our current dev-python/pycrypto-2.6.1-r2 is vulnerable to CVE-2018-6594 [1]. Rather than just  patching [2] the issue [3], I would consider hard-masking the package for removal because it's dead [4] and unfixed upstream for 5 years [5] and the world is moving on to substitutes like dev-python/pycryptodome.

What do you think?

Best, Sebastian


[1] https://www.cvedetails.com/cve/CVE-2018-6594/
[2] https://github.com/dlitz/pycrypto/pull/256
[3] https://github.com/dlitz/pycrypto/issues/253
[4] https://github.com/dlitz/pycrypto/issues/238
[5] https://github.com/dlitz/pycrypto/commits/master
Comment 1 Sebastian Pipping gentoo-dev 2019-12-24 22:10:32 UTC
PS: Found the package in package.deprecated just now as well — https://cgit.gentoo.org/repo/gentoo.git/commit/?id=ce0d379f4bb4b1e1d32e927f5856df43a3a25ac6
Comment 2 Larry the Git Cow gentoo-dev 2020-04-18 09:39:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6046bd7f9447639fb15fc6129c7b5581a863050

commit b6046bd7f9447639fb15fc6129c7b5581a863050
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-18 09:38:24 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-18 09:39:13 +0000

    package.mask: Last rite dev-python/pycrypto
    
    Bug: https://bugs.gentoo.org/703682
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.deprecated | 6 ------
 profiles/package.mask       | 6 ++++++
 2 files changed, 6 insertions(+), 6 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2020-05-23 09:29:37 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09301ae9f547c534d3120f2b24f376f7931b6ec6

commit 09301ae9f547c534d3120f2b24f376f7931b6ec6
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-23 09:28:17 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-23 09:29:27 +0000

    dev-python/pycrypto: Remove last-rited pkg
    
    Closes: https://bugs.gentoo.org/703682
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pycrypto/Manifest                       |  1 -
 .../files/pycrypto-2.6.1-CVE-2013-7459.patch       | 88 ----------------------
 .../files/pycrypto-2.6.1-cross-compile.patch       | 13 ----
 dev-python/pycrypto/metadata.xml                   | 34 ---------
 dev-python/pycrypto/pycrypto-2.6.1-r2.ebuild       | 76 -------------------
 profiles/base/package.use.mask                     |  1 -
 profiles/package.mask                              |  6 --
 7 files changed, 219 deletions(-)
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-05-23 09:33:06 UTC
I'm sorry for accidentally closing it.
Comment 5 Sam James gentoo-dev Security 2020-07-30 01:20:52 UTC
(In reply to Michał Górny from comment #4)
> I'm sorry for accidentally closing it.

No worries.

GLSA vote: yes
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-07-31 17:13:35 UTC
This issue was resolved and addressed in
 GLSA 202007-62 at https://security.gentoo.org/glsa/202007-62
by GLSA coordinator Sam James (sam_c).