From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: pycrypto buffer overflow (potentially affects onionshare and other
	packages)
Date: Mon, 26 Dec 2016 12:43:44 -0500
Message-ID: <20161226174344.GA10842@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53003)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cLZgV-0005Vm-JI
	for guix-devel@gnu.org; Mon, 26 Dec 2016 13:07:44 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cLZgS-0001D1-8e
	for guix-devel@gnu.org; Mon, 26 Dec 2016 13:07:43 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:36732)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cLZgR-0001Cl-VH
	for guix-devel@gnu.org; Mon, 26 Dec 2016 13:07:40 -0500
Received: from localhost (c-76-110-75-179.hsd1.fl.comcast.net [76.110.75.179])
	by mail.messagingengine.com (Postfix) with ESMTPA id E10222452C
	for <guix-devel@gnu.org>; Mon, 26 Dec 2016 13:07:38 -0500 (EST)
Content-Disposition: inline
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

The pycrypto library contains at least one dangerous buffer overflow:

https://github.com/dlitz/pycrypto/issues/176

And the pycrypto project is inactive:

https://github.com/dlitz/pycrypto/issues/173

The list of our packages that use pycrypto:

python-axolotl-0.1.35
onionshare-0.9.2
python-flask-restful-swagger-0.19
python-swiftclient-2.6.0
jrnl-1.9.7
ansible-2.1.0.0

--NzB8fVQJ5HfG6fxh
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhhVswACgkQJkb6MLrK
fwggRQ//R0bRMsZY3+EFCL9IyueknWR+uJ9FOvq4GNPKmpfPZcbtIX2Ku23A+2KT
mX0iVbfAzUUROsW8mZRFXvzw1UCHOVNk9Fizq1BSKX6Cx0eIIC7qCXDUZqBCguvX
5ubaUwhh8jwetktO56HUEW9DuzPuC/wsTnEnzOXn9nOkZIaSmGrkjN3ytJ9KJ1GI
2WmpalnYqtPPoVtYIYNzbAFNuuQ75L6ZiRnOnWckOlHWU0TE2UpiZ/jRyvcK2M+M
rCtXSTSEvKbAYqUIa+UMjTWN2D9wodmxnB3RQ3YFbX46l128HylSiusrHikxXaPy
tCfqBtY/9T0ha0fBXBgF7gupUl6TPJvHghWv/KXezGHOtL41O6DuiXCQl0Kzxwat
V64QeGvz+d90DkD3SbOKsJjqkrhg8OdjfhbZFJLgn3UI6Sx85v0V8fEH5TPAssqw
oDs5C3M7JZwJC20t4e0TSjtS1M+cXwO07Wox3fiOE45UO7czAPcMa0T6hli6k7ls
x5Q+PD1u5nL27zLzy2E3gvsSIKPvPOfTlVKhXclLor2o1FpHl6A31qdw8ZEMSFct
YshpE/5pFB43Qo3gzsG5fAYvjtx3teFx8LwdCLCWYXhXzBx60r9//luCLvzYIced
4oDkWBJ1f2kA3IRJnXrIRpXl2aWsD0Ocg/uTIatNG1tisnoSWVM=
=wQX+
-----END PGP SIGNATURE-----

--NzB8fVQJ5HfG6fxh--