703682 – (CVE-2018-6594) dev-python/pycrypto: Weak ElGamal key parameters (CVE-2018-6594)

Bug 703682 (CVE-2018-6594) - dev-python/pycrypto: Weak ElGamal key parameters (CVE-2018-6594)

Summary: dev-python/pycrypto: Weak ElGamal key parameters (CVE-2018-6594)

Status:	RESOLVED FIXED

Alias:	CVE-2018-6594

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Deadline:	2020-05-18
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+ masked cve]
Keywords:	PMASKED

Depends on:	pycryptodome-tracker
Blocks:
	Show dependency tree

Reported:	2019-12-24 22:06 UTC by Sebastian Pipping
Modified:	2020-07-31 17:14 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Pipping gentoo-dev

2019-12-24 22:06:28 UTC

Hi!

Our current dev-python/pycrypto-2.6.1-r2 is vulnerable to CVE-2018-6594 [1]. Rather than just  patching [2] the issue [3], I would consider hard-masking the package for removal because it's dead [4] and unfixed upstream for 5 years [5] and the world is moving on to substitutes like dev-python/pycryptodome.

What do you think?

Best, Sebastian


[1] https://www.cvedetails.com/cve/CVE-2018-6594/
[2] https://github.com/dlitz/pycrypto/pull/256
[3] https://github.com/dlitz/pycrypto/issues/253
[4] https://github.com/dlitz/pycrypto/issues/238
[5] https://github.com/dlitz/pycrypto/commits/master

Comment 1 Sebastian Pipping gentoo-dev

2019-12-24 22:10:32 UTC

PS: Found the package in package.deprecated just now as well — https://cgit.gentoo.org/repo/gentoo.git/commit/?id=ce0d379f4bb4b1e1d32e927f5856df43a3a25ac6

Comment 2 Larry the Git Cow gentoo-dev

2020-04-18 09:39:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6046bd7f9447639fb15fc6129c7b5581a863050

commit b6046bd7f9447639fb15fc6129c7b5581a863050
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-04-18 09:38:24 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-04-18 09:39:13 +0000

    package.mask: Last rite dev-python/pycrypto
    
    Bug: https://bugs.gentoo.org/703682
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 profiles/package.deprecated | 6 ------
 profiles/package.mask       | 6 ++++++
 2 files changed, 6 insertions(+), 6 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2020-05-23 09:29:37 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09301ae9f547c534d3120f2b24f376f7931b6ec6

commit 09301ae9f547c534d3120f2b24f376f7931b6ec6
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-05-23 09:28:17 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-05-23 09:29:27 +0000

    dev-python/pycrypto: Remove last-rited pkg
    
    Closes: https://bugs.gentoo.org/703682
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/pycrypto/Manifest                       |  1 -
 .../files/pycrypto-2.6.1-CVE-2013-7459.patch       | 88 ----------------------
 .../files/pycrypto-2.6.1-cross-compile.patch       | 13 ----
 dev-python/pycrypto/metadata.xml                   | 34 ---------
 dev-python/pycrypto/pycrypto-2.6.1-r2.ebuild       | 76 -------------------
 profiles/base/package.use.mask                     |  1 -
 profiles/package.mask                              |  6 --
 7 files changed, 219 deletions(-)

Comment 4 Michał Górny archtester

2020-05-23 09:33:06 UTC

I'm sorry for accidentally closing it.

Comment 5 Sam James archtester

2020-07-30 01:20:52 UTC

(In reply to Michał Górny from comment #4)
> I'm sorry for accidentally closing it.

No worries.

GLSA vote: yes

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2020-07-31 17:13:35 UTC

This issue was resolved and addressed in
 GLSA 202007-62 at https://security.gentoo.org/glsa/202007-62
by GLSA coordinator Sam James (sam_c).