* pycrypto buffer overflow (potentially affects onionshare and other packages)
@ 2016-12-26 17:43 Leo Famulari
2016-12-26 18:08 ` Leo Famulari
0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2016-12-26 17:43 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 372 bytes --]
The pycrypto library contains at least one dangerous buffer overflow:
https://github.com/dlitz/pycrypto/issues/176
And the pycrypto project is inactive:
https://github.com/dlitz/pycrypto/issues/173
The list of our packages that use pycrypto:
python-axolotl-0.1.35
onionshare-0.9.2
python-flask-restful-swagger-0.19
python-swiftclient-2.6.0
jrnl-1.9.7
ansible-2.1.0.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
2016-12-26 17:43 pycrypto buffer overflow (potentially affects onionshare and other packages) Leo Famulari
@ 2016-12-26 18:08 ` Leo Famulari
2016-12-27 0:54 ` Leo Famulari
0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2016-12-26 18:08 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 221 bytes --]
On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote:
> The list of our packages that use pycrypto:
[...]
> onionshare-0.9.2
This comes through python-stem. I've contacted the stem maintainer about
this issue.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
2016-12-26 18:08 ` Leo Famulari
@ 2016-12-27 0:54 ` Leo Famulari
2017-01-02 20:41 ` Ludovic Courtès
0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2016-12-27 0:54 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 585 bytes --]
On Mon, Dec 26, 2016 at 01:08:44PM -0500, Leo Famulari wrote:
> On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote:
> > The list of our packages that use pycrypto:
>
> [...]
>
> > onionshare-0.9.2
>
> This comes through python-stem. I've contacted the stem maintainer about
> this issue.
Based on my discussion with the Stem maintainer, I removed pycrypto from
the dependency graph of OnionShare and added a comment about removing
the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
2016-12-27 0:54 ` Leo Famulari
@ 2017-01-02 20:41 ` Ludovic Courtès
2017-01-03 4:59 ` Leo Famulari
0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2017-01-02 20:41 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> On Mon, Dec 26, 2016 at 01:08:44PM -0500, Leo Famulari wrote:
>> On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote:
>> > The list of our packages that use pycrypto:
>>
>> [...]
>>
>> > onionshare-0.9.2
>>
>> This comes through python-stem. I've contacted the stem maintainer about
>> this issue.
>
> Based on my discussion with the Stem maintainer, I removed pycrypto from
> the dependency graph of OnionShare and added a comment about removing
> the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
> 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
Thanks. Looks like another case of an important piece of software
lacking a maintainer…
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
2017-01-02 20:41 ` Ludovic Courtès
@ 2017-01-03 4:59 ` Leo Famulari
2017-01-05 10:39 ` Ludovic Courtès
0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2017-01-03 4:59 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > Based on my discussion with the Stem maintainer, I removed pycrypto from
> > the dependency graph of OnionShare and added a comment about removing
> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
>
> Thanks. Looks like another case of an important piece of software
> lacking a maintainer…
At this point, I think it's recommended to use the 'cryptography'
module, which we have as python-cryptography. This seems to be where all
the development energy is being spent.
Debian adapted the upstream patch:
https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d
What do people think?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
2017-01-03 4:59 ` Leo Famulari
@ 2017-01-05 10:39 ` Ludovic Courtès
2017-01-10 0:09 ` Leo Famulari
0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2017-01-05 10:39 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> > Based on my discussion with the Stem maintainer, I removed pycrypto from
>> > the dependency graph of OnionShare and added a comment about removing
>> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
>> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
>>
>> Thanks. Looks like another case of an important piece of software
>> lacking a maintainer…
>
> At this point, I think it's recommended to use the 'cryptography'
> module, which we have as python-cryptography. This seems to be where all
> the development energy is being spent.
>
> Debian adapted the upstream patch:
>
> https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d
>
> What do people think?
Maybe we should apply this patch as well as progressively migrate to
python-cryptography whenever possible?
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
2017-01-05 10:39 ` Ludovic Courtès
@ 2017-01-10 0:09 ` Leo Famulari
0 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2017-01-10 0:09 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On Thu, Jan 05, 2017 at 11:39:58AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote:
> >> Leo Famulari <leo@famulari.name> skribis:
> >> > Based on my discussion with the Stem maintainer, I removed pycrypto from
> >> > the dependency graph of OnionShare and added a comment about removing
> >> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
> >> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
> >>
> >> Thanks. Looks like another case of an important piece of software
> >> lacking a maintainer…
> >
> > At this point, I think it's recommended to use the 'cryptography'
> > module, which we have as python-cryptography. This seems to be where all
> > the development energy is being spent.
> >
> > Debian adapted the upstream patch:
> >
> > https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d
> >
> > What do people think?
>
> Maybe we should apply this patch as well as progressively migrate to
> python-cryptography whenever possible?
I applied the Debian patch in aa21c764d65068783ae31febee2a92eb3d138a24.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-01-10 0:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-26 17:43 pycrypto buffer overflow (potentially affects onionshare and other packages) Leo Famulari
2016-12-26 18:08 ` Leo Famulari
2016-12-27 0:54 ` Leo Famulari
2017-01-02 20:41 ` Ludovic Courtès
2017-01-03 4:59 ` Leo Famulari
2017-01-05 10:39 ` Ludovic Courtès
2017-01-10 0:09 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).