pycrypto buffer overflow (potentially affects onionshare and other packages)

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* pycrypto buffer overflow (potentially affects onionshare and other packages)
@ 2016-12-26 17:43 Leo Famulari
  2016-12-26 18:08 ` Leo Famulari
  0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2016-12-26 17:43 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 372 bytes --]

The pycrypto library contains at least one dangerous buffer overflow:

https://github.com/dlitz/pycrypto/issues/176

And the pycrypto project is inactive:

https://github.com/dlitz/pycrypto/issues/173

The list of our packages that use pycrypto:

python-axolotl-0.1.35
onionshare-0.9.2
python-flask-restful-swagger-0.19
python-swiftclient-2.6.0
jrnl-1.9.7
ansible-2.1.0.0

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
  2016-12-26 17:43 pycrypto buffer overflow (potentially affects onionshare and other packages) Leo Famulari
@ 2016-12-26 18:08 ` Leo Famulari
  2016-12-27  0:54   ` Leo Famulari
  0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2016-12-26 18:08 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 221 bytes --]

On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote:
> The list of our packages that use pycrypto:

[...]

> onionshare-0.9.2

This comes through python-stem. I've contacted the stem maintainer about
this issue.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
  2016-12-26 18:08 ` Leo Famulari
@ 2016-12-27  0:54   ` Leo Famulari
  2017-01-02 20:41     ` Ludovic Courtès
  0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2016-12-27  0:54 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 585 bytes --]

On Mon, Dec 26, 2016 at 01:08:44PM -0500, Leo Famulari wrote:
> On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote:
> > The list of our packages that use pycrypto:
> 
> [...]
> 
> > onionshare-0.9.2
> 
> This comes through python-stem. I've contacted the stem maintainer about
> this issue.

Based on my discussion with the Stem maintainer, I removed pycrypto from
the dependency graph of OnionShare and added a comment about removing
the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
  2016-12-27  0:54   ` Leo Famulari
@ 2017-01-02 20:41     ` Ludovic Courtès
  2017-01-03  4:59       ` Leo Famulari
  0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2017-01-02 20:41 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> On Mon, Dec 26, 2016 at 01:08:44PM -0500, Leo Famulari wrote:
>> On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote:
>> > The list of our packages that use pycrypto:
>> 
>> [...]
>> 
>> > onionshare-0.9.2
>> 
>> This comes through python-stem. I've contacted the stem maintainer about
>> this issue.
>
> Based on my discussion with the Stem maintainer, I removed pycrypto from
> the dependency graph of OnionShare and added a comment about removing
> the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
> 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.

Thanks.  Looks like another case of an important piece of software
lacking a maintainer…

Ludo’.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
  2017-01-02 20:41     ` Ludovic Courtès
@ 2017-01-03  4:59       ` Leo Famulari
  2017-01-05 10:39         ` Ludovic Courtès
  0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2017-01-03  4:59 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > Based on my discussion with the Stem maintainer, I removed pycrypto from
> > the dependency graph of OnionShare and added a comment about removing
> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
> 
> Thanks.  Looks like another case of an important piece of software
> lacking a maintainer…

At this point, I think it's recommended to use the 'cryptography'
module, which we have as python-cryptography. This seems to be where all
the development energy is being spent.

Debian adapted the upstream patch:

https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d

What do people think?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
  2017-01-03  4:59       ` Leo Famulari
@ 2017-01-05 10:39         ` Ludovic Courtès
  2017-01-10  0:09           ` Leo Famulari
  0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2017-01-05 10:39 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> skribis:

> On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote:
>> Leo Famulari <leo@famulari.name> skribis:
>> > Based on my discussion with the Stem maintainer, I removed pycrypto from
>> > the dependency graph of OnionShare and added a comment about removing
>> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
>> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
>> 
>> Thanks.  Looks like another case of an important piece of software
>> lacking a maintainer…
>
> At this point, I think it's recommended to use the 'cryptography'
> module, which we have as python-cryptography. This seems to be where all
> the development energy is being spent.
>
> Debian adapted the upstream patch:
>
> https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d
>
> What do people think?

Maybe we should apply this patch as well as progressively migrate to
python-cryptography whenever possible?

Ludo’.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: pycrypto buffer overflow (potentially affects onionshare and other packages)
  2017-01-05 10:39         ` Ludovic Courtès
@ 2017-01-10  0:09           ` Leo Famulari
  0 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2017-01-10  0:09 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Thu, Jan 05, 2017 at 11:39:58AM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Mon, Jan 02, 2017 at 09:41:26PM +0100, Ludovic Courtès wrote:
> >> Leo Famulari <leo@famulari.name> skribis:
> >> > Based on my discussion with the Stem maintainer, I removed pycrypto from
> >> > the dependency graph of OnionShare and added a comment about removing
> >> > the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
> >> > 1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.
> >> 
> >> Thanks.  Looks like another case of an important piece of software
> >> lacking a maintainer…
> >
> > At this point, I think it's recommended to use the 'cryptography'
> > module, which we have as python-cryptography. This seems to be where all
> > the development energy is being spent.
> >
> > Debian adapted the upstream patch:
> >
> > https://anonscm.debian.org/cgit/collab-maint/python-crypto.git/commit/?id=0de2243837ed369a086f15c50cca2be85bdfab9d
> >
> > What do people think?
> 
> Maybe we should apply this patch as well as progressively migrate to
> python-cryptography whenever possible?

I applied the Debian patch in aa21c764d65068783ae31febee2a92eb3d138a24.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2017-01-10  0:09 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-26 17:43 pycrypto buffer overflow (potentially affects onionshare and other packages) Leo Famulari
2016-12-26 18:08 ` Leo Famulari
2016-12-27  0:54   ` Leo Famulari
2017-01-02 20:41     ` Ludovic Courtès
2017-01-03  4:59       ` Leo Famulari
2017-01-05 10:39         ` Ludovic Courtès
2017-01-10  0:09           ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).