Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

pycryptodome: CVE-2018-6594

Related Vulnerabilities: CVE-2018-6594  

Source

Debian Bug report logs - #889998
pycryptodome: CVE-2018-6594

version graph

Package: src:pycryptodome; Maintainer for src:pycryptodome is Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 9 Feb 2018 21:00:02 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version pycryptodome/3.4.7-1

Fixed in version pycryptodome/3.4.11-1

Done: Christopher Hoskin <mans0954@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/Legrandin/pycryptodome/issues/90

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>:
Bug#889998; Package src:pycryptodome. (Fri, 09 Feb 2018 21:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>. (Fri, 09 Feb 2018 21:00:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pycryptodome: CVE-2018-6594
Date: Fri, 09 Feb 2018 21:57:09 +0100
Source: pycryptodome
Version: 3.4.7-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/Legrandin/pycryptodome/issues/90

Hi,

the following vulnerability was published for pycryptodome.

CVE-2018-6594[0]:
| lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates
| weak ElGamal key parameters, which allows attackers to obtain
| sensitive information by reading ciphertext data (i.e., it does not
| have semantic security in face of a ciphertext-only attack). The
| Decisional Diffie-Hellman (DDH) assumption does not hold for
| PyCrypto's ElGamal implementation.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-6594
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6594
[1] https://github.com/Legrandin/pycryptodome/issues/90
[2] https://github.com/Legrandin/pycryptodome/commit/99c27a3b9e8a884bbde0e88c63234b669d4398d8

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 09 Feb 2018 21:06:02 GMT) (full text, mbox, link).

Message sent on to Salvatore Bonaccorso <carnil@debian.org>:
Bug#889998. (Fri, 02 Mar 2018 21:09:05 GMT) (full text, mbox, link).

Message #10 received at 889998-submitter@bugs.debian.org (full text, mbox, reply):

From: mans0954@debian.org
To: 889998-submitter@bugs.debian.org
Subject: Bug #889998 in pycryptodome marked as pending
Date: Fri, 02 Mar 2018 21:05:41 +0000
Control: tag -1 pending

Hello,

Bug #889998 in pycryptodome reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:

https://salsa.debian.org/python-team/modules/pycryptodome/commit/57f845b49a224caeb43630aaf643ff55c104f345

------------------------------------------------------------------------
Fix "CVE-2018-6594" Resolved by upstream in 3.4.10 (Closes: #889998)

------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

Added tag(s) pending. Request was from mans0954@debian.org to 889998-submitter@bugs.debian.org. (Fri, 02 Mar 2018 21:09:05 GMT) (full text, mbox, link).

Reply sent to Christopher Hoskin <mans0954@debian.org>:
You have taken responsibility. (Tue, 06 Mar 2018 09:09:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 06 Mar 2018 09:09:10 GMT) (full text, mbox, link).

Message #17 received at 889998-close@bugs.debian.org (full text, mbox, reply):

From: Christopher Hoskin <mans0954@debian.org>
To: 889998-close@bugs.debian.org
Subject: Bug#889998: fixed in pycryptodome 3.4.11-1
Date: Tue, 06 Mar 2018 09:08:23 +0000
Source: pycryptodome
Source-Version: 3.4.11-1

We believe that the bug you reported is fixed in the latest version of
pycryptodome, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 889998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christopher Hoskin <mans0954@debian.org> (supplier of updated pycryptodome package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 06 Mar 2018 07:02:32 +0000
Source: pycryptodome
Binary: python-pycryptodome python3-pycryptodome python-pycryptodome-doc
Architecture: source
Version: 3.4.11-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team <python-modules-team@lists.alioth.debian.org>
Changed-By: Christopher Hoskin <mans0954@debian.org>
Description:
 python-pycryptodome - cryptographic Python library (Python 2)
 python-pycryptodome-doc - cryptographic Python library (documentation)
 python3-pycryptodome - cryptographic Python library (Python 3)
Closes: 889998
Changes:
 pycryptodome (3.4.11-1) unstable; urgency=medium
 .
   [ Ondřej Nový ]
   * d/control: Set Vcs-* to salsa.debian.org
 .
   [ Christopher Hoskin ]
   * Fix "CVE-2018-6594" Resolved by upstream in 3.4.10 (Closes:
     #889998)
   * Add upstream metadata file
   * Add 0003-Fix-syntax-error.patch
   * Add lib/Cryptodome/ to clean
   * Bump debhelper compat from 9 to 11
   * Keep the documentation in python-pycryptodome-doc (for now at least)
   * Bump Standards-Version from 4.1.1 to 4.1.3 (no change required)
Checksums-Sha1:
 c3d78298eafcaca41942edbd840b29131976c06f 2602 pycryptodome_3.4.11-1.dsc
 daffceda74d65d57c83a63d1e5d3125b6961d571 6703564 pycryptodome_3.4.11.orig.tar.gz
 e1b2866f20172e308c70f83e42a995e6f8dd7563 801 pycryptodome_3.4.11.orig.tar.gz.asc
 b140eb5e3fe2ac3b18a02c661b61f7f75b3d09b8 9272 pycryptodome_3.4.11-1.debian.tar.xz
 4ee58a9eaf2001f0f23d0bde770aa56d4b599f28 8828 pycryptodome_3.4.11-1_amd64.buildinfo
Checksums-Sha256:
 58fbe052b4fbef7fe6406d3ee5c61604beb172bc1570464f85e64c790c04124e 2602 pycryptodome_3.4.11-1.dsc
 c5dd29e9f1b733e74311bf95d0e544e91bd1d14bc0366e8f443562d8d9920b7d 6703564 pycryptodome_3.4.11.orig.tar.gz
 2956d71e025f0eaf556c74836b0d3d21034b3a5d6b5ed3716773f042f3b06572 801 pycryptodome_3.4.11.orig.tar.gz.asc
 4850f225b62414739697bd1fac0b24b47d1f37871dc684992ec75d8618d66e47 9272 pycryptodome_3.4.11-1.debian.tar.xz
 ee92d02e376364580b6b5d740488013118bd697aa2a978ba88a787f772ef524e 8828 pycryptodome_3.4.11-1_amd64.buildinfo
Files:
 c686a532dd504630693ca258d93f4142 2602 python optional pycryptodome_3.4.11-1.dsc
 a2587b6381b0ef4eb960cea1e7507d04 6703564 python optional pycryptodome_3.4.11.orig.tar.gz
 8ee1cadbb0c856c71d0099757a946717 801 python optional pycryptodome_3.4.11.orig.tar.gz.asc
 3c052d36c49fbe00368ebe8e57a2d9ab 9272 python optional pycryptodome_3.4.11-1.debian.tar.xz
 379d2e5da0292704338c57e05c8ae4af 8828 python optional pycryptodome_3.4.11-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEbctJ5K6JlvFsvhGhf6qUsnUUSpoFAlqeSUoACgkQf6qUsnUU
SpqUJBAAnjQSNFRNjVjl8B4g6VMtUAW8sePKlmdQrN/G1lowfbIGZUZSCf1ywcZn
TC71PcFOG1qXDIko6Z3SKqHNabsyYDJZdPc7Mewy+Bl2JfOZJFvlndcxBqOcmd6V
GWbbp9SUzhh8GTwarTctazaDzkjO0eiSDG4zRuqVDDDN/bbvTHTQh9QAxiYN8Wdw
xsvMxFOFYeaUDFCmv0xYpESgtvQSYte6zSCb1HjM4S1dEnv/LOQrtMZvRMJ3dXYL
rl2dU0yfwJVaUgxcFU46UxZ7zxRWzFo8XvdpYNwFtpARYoaRvectvZiNRrcgUNO1
0LCaeR2IoXxBX/sRfmlTDgk7kPxSlTVvsl0M96D2bmnEYn2mGvENhWQiTtkTcgBv
igIA8T79viKMq/9HONcpm5Xe3hdZUMxTK7dbDGznPP4n4LPMhDvZ5eFRdwtkxzHZ
FZqHyYK/94wGdcNI/kGmiiYsah5TR5Za3bKXO17GUDigp7zDgz1u8jP4KjKFphCC
1XREgALyZzUD7b9AGcfzjx9pJRPt/Z3rRp+FDdkuCj7u5X4Jzw/D7Qel6icK2HVr
7+FyuR7Ysfza8ZNVi/Yndikp9QhQznhmsZpnEcklZITxA7Bl+AqtOhxCmL879hgG
JEzgAbLvPXp9P9BAajRh4xuLzWvz2SCQGncI0xqF0xDHKn99ruY=
=GH9K
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 12 Jul 2018 07:29:49 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:21:43 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started