Daniel Jakots <[email protected]> writes:
> On Tue, 7 Mar 2017 23:34:38 +0000, Sevan Janiyan
> <[email protected]> wrote:
>
>> Hello,
>> security/py-crypto in ports is vulnerable to CVE-2013-7459, the
>> attached patches apply the changes from the following commit to
>> v2.6.1.
>> https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
>>
>>
>> Sevan
>
> Thanks for the ping, I looked at their website a while ago and read
>
>> In versions prior to v2.6.1, Crypto.Random was insecure when using
>> fork() in some cases. See the advisory for CVE-2013-1445 for more
>> information. It is recommended that users upgrade to PyCrypto v2.6.1
>> or later.
>
> so I thought we were fine. That was another vuln, and the website is as
> maintained as the code.
>
> Here's a diff that works fine both on current and stable (just a off by
> one on -stable regarding the REVISION)
>
> Comments? OK?
ok jca@
Maybe we should move the tree to pycryptodome in the end, which is
supposed to be "a drop-in replacement for the old PyCrypto library".
Just one nit below,
> Cheers,
> Daniel
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/py-crypto/Makefile,v
> retrieving revision 1.39
> diff -u -p -r1.39 Makefile
> --- Makefile 3 Jan 2017 19:26:14 -0000 1.39
> +++ Makefile 8 Mar 2017 00:38:30 -0000
> @@ -3,7 +3,7 @@
> COMMENT = cryptographic tools for Python
>
> MODPY_EGG_VERSION = 2.6.1
> -REVISION = 3
> +REVISION = 4
> DISTNAME = pycrypto-${MODPY_EGG_VERSION}
> PKGNAME = py-crypto-${MODPY_EGG_VERSION}
> CATEGORIES = security devel
> Index: patches/patch-lib_Crypto_SelfTest_Cipher_common_py
> ===================================================================
> RCS file: patches/patch-lib_Crypto_SelfTest_Cipher_common_py
> diff -N patches/patch-lib_Crypto_SelfTest_Cipher_common_py
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-lib_Crypto_SelfTest_Cipher_common_py 8 Mar 2017
> 00:38:30 -0000
> @@ -0,0 +1,48 @@
> +$OpenBSD$
> +
> +Based on
> +https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
> +
> +--- lib/Crypto/SelfTest/Cipher/common.py.orig Mon Oct 14 17:38:10 2013
> ++++ lib/Crypto/SelfTest/Cipher/common.py Tue Mar 7 19:30:39 2017
> +@@ -239,18 +239,32 @@ class RoundtripTest(unittest.TestCase):
> + return """%s .decrypt() output of .encrypt() should not be
> garbled""" % (self.module_name,)
> +
> + def runTest(self):
> +- for mode in (self.module.MODE_ECB, self.module.MODE_CBC,
> self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP):
> ++ ## ECB mode
harmless, but there's a missing space.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
