[pycrypto] Wanted: PyCrypto security advisories

Dwayne C. Litzenberger dlitz at dlitz.net
Mon Dec 14 23:47:35 CST 2009


On Sun, Dec 13, 2009 at 03:59:34PM -0500, Dwayne C. Litzenberger wrote:
> PyCrypto 2.1.0 has been released.

This release of PyCrypto fixes a number of issues, but the previous 
release, version 2.0.1 is still widely deployed.

I'm a terrible maintainer with too many half-baked projects on the go.  It 
would be great if someone familiar with making security advisories went 
through this release, acquired CVE numbers where appropriate, and issued 
security advisories for bugs in PyCrypto 2.0.1 and in software that uses it 
incorrectly.

I'm an advocate of full disclosure, so if you find any additional problems 
that haven't been fixed yet, please just file a bug on Launchpad and make 
whatever other announcements you deem necessary.  I don't think I have some 
inherent right to know about exploitable vulnerabilities in other people's 
computers before they do, just because I happen to be (badly) maintaining 
some software they use.  (Please also consider supporting 
http://wikileaks.org/.)

Here are some highlights from the changelog, with my comments:

> 	  - Implemented __ne__() on pubkey, which fixes the following 
> 	  broken behaviour:
> 	        >>> pk.publickey() == pk.publickey()
> 	        True
> 	        >>> pk.publickey() != pk.publickey()
> 	        True
> 	    (patch from Lorenz Quack)

This isn't a security hole in PyCrypto, but I wonder if other software 
breaks, due to PyCrypto violating the expectations of application 
developers.

> 	  - Fixed padding bug in SHA256; this resulted in bad digests 
> 	  whenever (the number of bytes hashed) mod 64 == 55.

I think some distros (e.g. Debian) had this fixed already.  At minimum, 
this is a compatibility problem.  Maybe it's also a security hole; I'm not 
a cryptanalyst, so I don't know.

> 	  - Fixed a bad behaviour of the XOR cipher module: It would 
> 	  silently truncate all keys to 32 bytes.  Now it raises ValueError 
> 	  when the key is too long.

Code that used Crypto.Cipher.XOR to XOR two long strings together would 
fail silently.  If your code raises a ValueError here after upgrading to 
PyCrypto 2.1.0, then you have a security hole.

> 	  - Fixed the winrandom module, which had been omitted from the 
> 	  build process, causing security problems for programs that misuse 
> 	  RandomPool.

In the code I've seen, misusing RandomPool is almost universal.  Someone 
can probably generate a bunch of advisories just by searching Google Code 
Search for "RandomPool".

See https://bugs.launchpad.net/pycrypto/+bug/249765, and follow the links.

> 	* Modified RSA.generate() to ensure that e is coprime to p-1 and 
> 	q-1. Apparently, RSA.generate was capable of generating unusable 
> 	keys.

I don't quite understand the security impact of this (if any), but it was 
reported here:

     https://bugs.launchpad.net/pycrypto/+bug/408660

= = = = = = = = = = = = = =

Here are some quick links:

PyCrypto 2.1.0 release announcement:
     http://lists.dlitz.net/pipermail/pycrypto/2009q4/000169.html
Bug tracker:
     https://bugs.launchpad.net/pycrypto
Website:
     http://www.pycrypto.org/
git repo:
     git://git.pycrypto.org:9419/crypto/pycrypto-2.x.git
gitweb:
     http://gitweb.pycrypto.org/?p=crypto/pycrypto-2.x.git

Cheers,
- Dwayne

-- 
Dwayne C. Litzenberger <dlitz at dlitz.net>
  Key-signing key   - 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7
  Annual key (2009) - C805 1746 397B 0202 2758  2821 58E0 894B 81D2 582E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 221 bytes
Desc: Digital signature
Url : http://lists.dlitz.net/pipermail/pycrypto/attachments/20091215/65d1618a/attachment.pgp 


More information about the pycrypto mailing list