commit python3-pycrypto for openSUSE:Factory
Hello community, here is the log from the commit of package python3-pycrypto for openSUSE:Factory checked in at 2017-01-31 12:28:14 Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old) and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New) Package is "python3-pycrypto" Changes: --- /work/SRC/openSUSE:Factory/python3-pycrypto/python3-pycrypto.changes 2016-05-17 17:11:47.0 +0200 +++ /work/SRC/openSUSE:Factory/.python3-pycrypto.new/python3-pycrypto.changes 2017-02-03 18:59:13.722107429 +0100 @@ -1,0 +2,6 @@ +Wed Jan 4 16:52:24 UTC 2017 - vu...@suse.com + +- Add CVE-2013-7459.patch: python-pycrypto: Heap buffer overflow in + ALGnew (bsc#1017420). + +--- New: CVE-2013-7459.patch Other differences: -- ++ python3-pycrypto.spec ++ --- /var/tmp/diff_new_pack.1dA0LE/_old 2017-02-03 18:59:14.342020361 +0100 +++ /var/tmp/diff_new_pack.1dA0LE/_new 2017-02-03 18:59:14.346019800 +0100 @@ -1,7 +1,7 @@ # # spec file for package python3-pycrypto # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,6 +24,7 @@ License:Python-2.0 Group: Development/Languages/Python Source: https://files.pythonhosted.org/packages/source/p/pycrypto/pycrypto-%{version}.tar.gz +Patch0: CVE-2013-7459.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gmp-devel BuildRequires: python3-devel @@ -44,6 +45,7 @@ %prep %setup -q -n pycrypto-%{version} +%patch0 -p1 %build CFLAGS="%{optflags}" python3 setup.py build ++ CVE-2013-7459.patch ++ >From 48ce477c3668ef3a688e0a89db7415bcc785803d Mon Sep 17 00:00:00 2001 From: LegrandinDate: Sun, 22 Dec 2013 22:24:46 +0100 Subject: [PATCH] Throw exception when IV is used with ECB or CTR The IV parameter is currently ignored when initializing a cipher in ECB or CTR mode. For CTR mode, it is confusing: it takes some time to see that a different parameter is needed (the counter). For ECB mode, it is outright dangerous. This patch forces an exception to be raised. (cherry picked from commit 8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4) Signed-off-by: Vincent Untz --- lib/Crypto/SelfTest/Cipher/common.py | 31 +++ src/block_template.c | 11 +++ 2 files changed, 34 insertions(+), 8 deletions(-) diff --git a/lib/Crypto/SelfTest/Cipher/common.py b/lib/Crypto/SelfTest/Cipher/common.py index 8bebed9..91ec743 100644 --- a/lib/Crypto/SelfTest/Cipher/common.py +++ b/lib/Crypto/SelfTest/Cipher/common.py @@ -239,19 +239,34 @@ class RoundtripTest(unittest.TestCase): return """%s .decrypt() output of .encrypt() should not be garbled""" % (self.module_name,) def runTest(self): -for mode in (self.module.MODE_ECB, self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP): + +## ECB mode +mode = self.module.MODE_ECB +encryption_cipher = self.module.new(a2b_hex(self.key), mode) +ciphertext = encryption_cipher.encrypt(self.plaintext) +decryption_cipher = self.module.new(a2b_hex(self.key), mode) +decrypted_plaintext = decryption_cipher.decrypt(ciphertext) +self.assertEqual(self.plaintext, decrypted_plaintext) + +## OPENPGP mode +mode = self.module.MODE_OPENPGP +encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) +eiv_ciphertext = encryption_cipher.encrypt(self.plaintext) +eiv = eiv_ciphertext[:self.module.block_size+2] +ciphertext = eiv_ciphertext[self.module.block_size+2:] +decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv) +decrypted_plaintext = decryption_cipher.decrypt(ciphertext) +self.assertEqual(self.plaintext, decrypted_plaintext) + +## All other non-AEAD modes (but CTR) +for mode in (self.module.MODE_CBC, self.module.MODE_CFB, self.module.MODE_OFB): encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) ciphertext = encryption_cipher.encrypt(self.plaintext) - -if mode != self.module.MODE_OPENPGP: -decryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv) -else: -eiv = ciphertext[:self.module.block_size+2] -ciphertext = ciphertext[self.module.block_size+2:] -decryption_cipher =
commit python3-pycrypto for openSUSE:Factory
Hello community, here is the log from the commit of package python3-pycrypto for openSUSE:Factory checked in at 2016-05-17 17:11:46 Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old) and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New) Package is "python3-pycrypto" Changes: --- /work/SRC/openSUSE:Factory/python3-pycrypto/python3-pycrypto.changes 2015-10-26 12:48:47.0 +0100 +++ /work/SRC/openSUSE:Factory/.python3-pycrypto.new/python3-pycrypto.changes 2016-05-17 17:11:47.0 +0200 @@ -1,0 +2,8 @@ +Sun May 8 07:04:42 UTC 2016 - a...@gmx.de + +- specfile: + * changed to https for source url + * updated source url to files.pythonhosted.org + + +--- Other differences: -- ++ python3-pycrypto.spec ++ --- /var/tmp/diff_new_pack.eQHgyE/_old 2016-05-17 17:11:48.0 +0200 +++ /var/tmp/diff_new_pack.eQHgyE/_new 2016-05-17 17:11:48.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package python3-pycrypto # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ Summary:Cryptographic modules for Python License:Python-2.0 Group: Development/Languages/Python -Source: http://pypi.python.org/packages/source/p/pycrypto/pycrypto-%{version}.tar.gz +Source: https://files.pythonhosted.org/packages/source/p/pycrypto/pycrypto-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gmp-devel BuildRequires: python3-devel
commit python3-pycrypto for openSUSE:Factory
Hello community, here is the log from the commit of package python3-pycrypto for openSUSE:Factory checked in at 2015-10-26 12:48:41 Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old) and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New) Package is "python3-pycrypto" Changes: --- /work/SRC/openSUSE:Factory/python3-pycrypto/python3-pycrypto.changes 2014-12-22 12:53:12.0 +0100 +++ /work/SRC/openSUSE:Factory/.python3-pycrypto.new/python3-pycrypto.changes 2015-10-26 12:48:47.0 +0100 @@ -1,0 +2,6 @@ +Wed Oct 21 11:36:58 UTC 2015 - toddrme2...@gmail.com + +- Don't build with python3-buildservice-tweak. + The package detects the lack of randomness and aborts the build. + +--- Other differences: -- ++ python3-pycrypto.spec ++ --- /var/tmp/diff_new_pack.asmQcs/_old 2015-10-26 12:48:48.0 +0100 +++ /var/tmp/diff_new_pack.asmQcs/_new 2015-10-26 12:48:48.0 +0100 @@ -27,6 +27,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gmp-devel BuildRequires: python3-devel +BuildConflicts: python3-buildservice-tweak %description The package contains:
commit python3-pycrypto for openSUSE:Factory
Hello community, here is the log from the commit of package python3-pycrypto for openSUSE:Factory checked in at 2014-12-22 12:54:30 Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old) and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New) Package is python3-pycrypto Changes: --- /work/SRC/openSUSE:Factory/python3-pycrypto/python3-pycrypto.changes 2013-06-20 16:59:20.0 +0200 +++ /work/SRC/openSUSE:Factory/.python3-pycrypto.new/python3-pycrypto.changes 2014-12-22 12:53:12.0 +0100 @@ -1,0 +2,13 @@ +Sun Dec 21 23:47:47 UTC 2014 - p.drou...@gmail.com + +- Remove useless make requirements +- Remove repreciated python(abi) rependency +- Remove unapplied ignore-fastmath-warning.diff + +--- +Thu Dec 18 18:30:25 UTC 2014 - a...@gmx.de + +- update to version 2.6.1: + * [CVE-2013-1445] Fix PRNG not correctly reseeded in some situations. + +--- Old: ignore-fastmath-warning.diff pycrypto-2.6.tar.gz New: pycrypto-2.6.1.tar.gz Other differences: -- ++ python3-pycrypto.spec ++ --- /var/tmp/diff_new_pack.I43ryM/_old 2014-12-22 12:53:12.0 +0100 +++ /var/tmp/diff_new_pack.I43ryM/_new 2014-12-22 12:53:12.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package python3-pycrypto # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: python3-pycrypto -Version:2.6 +Version:2.6.1 Release:0 Url:http://www.pycrypto.org/ Summary:Cryptographic modules for Python @@ -26,10 +26,7 @@ Source: http://pypi.python.org/packages/source/p/pycrypto/pycrypto-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gmp-devel -BuildRequires: python3 -BuildRequires: python3-2to3 BuildRequires: python3-devel -Requires: python(abi) = %{py3_ver} %description The package contains: ++ pycrypto-2.6.tar.gz - pycrypto-2.6.1.tar.gz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pycrypto-2.6/ChangeLog new/pycrypto-2.6.1/ChangeLog --- old/pycrypto-2.6/ChangeLog 2012-05-24 14:55:30.0 +0200 +++ new/pycrypto-2.6.1/ChangeLog2013-10-14 23:38:10.0 +0200 @@ -1,3 +1,55 @@ +2.6.1 += + * [CVE-2013-1445] Fix PRNG not correctly reseeded in some situations. + + In previous versions of PyCrypto, the Crypto.Random PRNG exhibits a + race condition that may cause forked processes to generate identical + sequences of 'random' numbers. + + This is a fairly obscure bug that will (hopefully) not affect many + applications, but the failure scenario is pretty bad. Here is some + sample code that illustrates the problem: + + from binascii import hexlify + import multiprocessing, pprint, time + import Crypto.Random + + def task_main(arg): + a = Crypto.Random.get_random_bytes(8) + time.sleep(0.1) + b = Crypto.Random.get_random_bytes(8) + rdy, ack = arg + rdy.set() + ack.wait() + return %s,%s % (hexlify(a).decode(), + hexlify(b).decode()) + + n_procs = 4 + manager = multiprocessing.Manager() + rdys = [manager.Event() for i in range(n_procs)] + acks = [manager.Event() for i in range(n_procs)] + Crypto.Random.get_random_bytes(1) + pool = multiprocessing.Pool(processes=n_procs, + initializer=Crypto.Random.atfork) + res_async = pool.map_async(task_main, zip(rdys, acks)) + pool.close() + [rdy.wait() for rdy in rdys] + [ack.set() for ack in acks] + res = res_async.get() + pprint.pprint(sorted(res)) + pool.join() + + The output should be random, but it looked like this: + + ['c607803ae01aa8c0,2e4de6457a304b34', + 'c607803ae01aa8c0,af80d08942b4c987', + 'c607803ae01aa8c0,b0e4c0853de927c4', + 'c607803ae01aa8c0,f0362585b3fceba4'] + + This release fixes the problem by resetting the rate-limiter when + Crypto.Random.atfork() is invoked. It also adds some tests and a +
commit python3-pycrypto for openSUSE:Factory
Hello community, here is the log from the commit of package python3-pycrypto for openSUSE:Factory checked in at 2012-05-29 13:55:12 Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old) and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New) Package is python3-pycrypto, Maintainer is Changes: New Changes file: NO CHANGES FILE!!! New: _link Other differences: -- ++ _link ++ link package=python-pycrypto cicount=copy / -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org