From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: pycrypto buffer overflow (potentially affects onionshare and
	other packages)
Date: Mon, 26 Dec 2016 19:54:05 -0500
Message-ID: <20161227005405.GA13558@jasmine>
References: <20161226174344.GA10842@jasmine> <20161226180844.GA12367@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44817)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cLg1q-0000kf-UX
	for guix-devel@gnu.org; Mon, 26 Dec 2016 19:54:11 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cLg1n-00037q-TM
	for guix-devel@gnu.org; Mon, 26 Dec 2016 19:54:11 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:43004)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cLg1n-00037N-OC
	for guix-devel@gnu.org; Mon, 26 Dec 2016 19:54:07 -0500
Received: from localhost (c-76-110-75-179.hsd1.fl.comcast.net [76.110.75.179])
	by mail.messagingengine.com (Postfix) with ESMTPA id A55D07E2B2
	for <guix-devel@gnu.org>; Mon, 26 Dec 2016 19:54:06 -0500 (EST)
Content-Disposition: inline
In-Reply-To: <20161226180844.GA12367@jasmine>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org


--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Dec 26, 2016 at 01:08:44PM -0500, Leo Famulari wrote:
> On Mon, Dec 26, 2016 at 12:43:44PM -0500, Leo Famulari wrote:
> > The list of our packages that use pycrypto:
>=20
> [...]
>=20
> > onionshare-0.9.2
>=20
> This comes through python-stem. I've contacted the stem maintainer about
> this issue.

Based on my discussion with the Stem maintainer, I removed pycrypto from
the dependency graph of OnionShare and added a comment about removing
the pycrypto package in 4de2a710a6a309a1601f1cf6fc15b9b638d3a3cb and
1194575b3c44969e4f68cd10a62e6ed8603e39b4, respectively.

--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhhu60ACgkQJkb6MLrK
fwj2SRAAy/2clcDt6PRUVmct6+4Mmu/JDuIpy7NJ1ZbZTD4hFmal370jb4rt8TWA
z7FXJE4nI5uwZ8jfdNoC88Qvvpa2WThAEJUSltGwcDw8Qd0FkJxmhz1b5FdhAc8g
YWfxjCQgPuBl9U7uf3Os3wJ40sKF1zKgkIEjkipEBMCfLB1kMKl+u3nk4OvdQCfb
IebkLfHLVlFcBU0VlXc0TgW2XitaRqULMHE4yteI7AnS+r+bo6zglMP1kl6pRwI2
5KKTGEyQho0lzDoK7FckX3mec0wCTKO9L4eXM7WBenjiiPo9xg8h++2tghYfooZw
F+A87KGcZNtiUdLaYZrCd9ilhyNODI2CH78eItwBYHosl0xF4QdYiZQESjwBqBgL
GSQeajKbp9liqeDnasF4Q/+Lar5lWwnd5rRv9GYHuZQwgQLZ0Ja8JUq4Pw108RAh
JUcV+ET7k2Gmex6AXSNgauQft3gohUeTDmsPnokSTaVQOofZYrGsODcCbtaMJqOr
vJzWFvAIvV1JYHzNnJX5eZBOZIzvLHIy/stfAcmzhgf/Vv8N5d2cBxI1yiOxz/ek
SXigR7Wnkd+gxfKTxN+wx1Iyz9jZubDnhmse3yY3d0YYQD9nZZ73uFWUICuHyexb
EGxNqkOzHx4yBis2QwrkXdZmvUJP6lyc7LCne2sKc4p5A+IGF1k=
=9+VD
-----END PGP SIGNATURE-----

--CE+1k2dSO48ffgeK--