commit python3-pycrypto for openSUSE:Factory
Hello community,
here is the log from the commit of package python3-pycrypto for
openSUSE:Factory checked in at 2017-01-31 12:28:14
Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old)
and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New)
Package is "python3-pycrypto"
Changes:
--- /work/SRC/openSUSE:Factory/python3-pycrypto/python3-pycrypto.changes
2016-05-17 17:11:47.0 +0200
+++ /work/SRC/openSUSE:Factory/.python3-pycrypto.new/python3-pycrypto.changes
2017-02-03 18:59:13.722107429 +0100
@@ -1,0 +2,6 @@
+Wed Jan 4 16:52:24 UTC 2017 - vu...@suse.com
+
+- Add CVE-2013-7459.patch: python-pycrypto: Heap buffer overflow in
+ ALGnew (bsc#1017420).
+
+---
New:
CVE-2013-7459.patch
Other differences:
--
++ python3-pycrypto.spec ++
--- /var/tmp/diff_new_pack.1dA0LE/_old 2017-02-03 18:59:14.342020361 +0100
+++ /var/tmp/diff_new_pack.1dA0LE/_new 2017-02-03 18:59:14.346019800 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python3-pycrypto
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -24,6 +24,7 @@
License:Python-2.0
Group: Development/Languages/Python
Source:
https://files.pythonhosted.org/packages/source/p/pycrypto/pycrypto-%{version}.tar.gz
+Patch0: CVE-2013-7459.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gmp-devel
BuildRequires: python3-devel
@@ -44,6 +45,7 @@
%prep
%setup -q -n pycrypto-%{version}
+%patch0 -p1
%build
CFLAGS="%{optflags}" python3 setup.py build
++ CVE-2013-7459.patch ++
>From 48ce477c3668ef3a688e0a89db7415bcc785803d Mon Sep 17 00:00:00 2001
From: Legrandin
Date: Sun, 22 Dec 2013 22:24:46 +0100
Subject: [PATCH] Throw exception when IV is used with ECB or CTR
The IV parameter is currently ignored when initializing
a cipher in ECB or CTR mode.
For CTR mode, it is confusing: it takes some time to see
that a different parameter is needed (the counter).
For ECB mode, it is outright dangerous.
This patch forces an exception to be raised.
(cherry picked from commit 8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4)
Signed-off-by: Vincent Untz
---
lib/Crypto/SelfTest/Cipher/common.py | 31 +++
src/block_template.c | 11 +++
2 files changed, 34 insertions(+), 8 deletions(-)
diff --git a/lib/Crypto/SelfTest/Cipher/common.py
b/lib/Crypto/SelfTest/Cipher/common.py
index 8bebed9..91ec743 100644
--- a/lib/Crypto/SelfTest/Cipher/common.py
+++ b/lib/Crypto/SelfTest/Cipher/common.py
@@ -239,19 +239,34 @@ class RoundtripTest(unittest.TestCase):
return """%s .decrypt() output of .encrypt() should not be garbled"""
% (self.module_name,)
def runTest(self):
-for mode in (self.module.MODE_ECB, self.module.MODE_CBC,
self.module.MODE_CFB, self.module.MODE_OFB, self.module.MODE_OPENPGP):
+
+## ECB mode
+mode = self.module.MODE_ECB
+encryption_cipher = self.module.new(a2b_hex(self.key), mode)
+ciphertext = encryption_cipher.encrypt(self.plaintext)
+decryption_cipher = self.module.new(a2b_hex(self.key), mode)
+decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
+self.assertEqual(self.plaintext, decrypted_plaintext)
+
+## OPENPGP mode
+mode = self.module.MODE_OPENPGP
+encryption_cipher = self.module.new(a2b_hex(self.key), mode, self.iv)
+eiv_ciphertext = encryption_cipher.encrypt(self.plaintext)
+eiv = eiv_ciphertext[:self.module.block_size+2]
+ciphertext = eiv_ciphertext[self.module.block_size+2:]
+decryption_cipher = self.module.new(a2b_hex(self.key), mode, eiv)
+decrypted_plaintext = decryption_cipher.decrypt(ciphertext)
+self.assertEqual(self.plaintext, decrypted_plaintext)
+
+## All other non-AEAD modes (but CTR)
+for mode in (self.module.MODE_CBC, self.module.MODE_CFB,
self.module.MODE_OFB):
encryption_cipher = self.module.new(a2b_hex(self.key), mode,
self.iv)
ciphertext = encryption_cipher.encrypt(self.plaintext)
-
-if mode != self.module.MODE_OPENPGP:
-decryption_cipher = self.module.new(a2b_hex(self.key), mode,
self.iv)
-else:
-eiv = ciphertext[:self.module.block_size+2]
-ciphertext = ciphertext[self.module.block_size+2:]
-decryption_cipher =
commit python3-pycrypto for openSUSE:Factory
Hello community,
here is the log from the commit of package python3-pycrypto for
openSUSE:Factory checked in at 2016-05-17 17:11:46
Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old)
and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New)
Package is "python3-pycrypto"
Changes:
--- /work/SRC/openSUSE:Factory/python3-pycrypto/python3-pycrypto.changes
2015-10-26 12:48:47.0 +0100
+++ /work/SRC/openSUSE:Factory/.python3-pycrypto.new/python3-pycrypto.changes
2016-05-17 17:11:47.0 +0200
@@ -1,0 +2,8 @@
+Sun May 8 07:04:42 UTC 2016 - a...@gmx.de
+
+- specfile:
+ * changed to https for source url
+ * updated source url to files.pythonhosted.org
+
+
+---
Other differences:
--
++ python3-pycrypto.spec ++
--- /var/tmp/diff_new_pack.eQHgyE/_old 2016-05-17 17:11:48.0 +0200
+++ /var/tmp/diff_new_pack.eQHgyE/_new 2016-05-17 17:11:48.0 +0200
@@ -1,7 +1,7 @@
#
# spec file for package python3-pycrypto
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
Summary:Cryptographic modules for Python
License:Python-2.0
Group: Development/Languages/Python
-Source:
http://pypi.python.org/packages/source/p/pycrypto/pycrypto-%{version}.tar.gz
+Source:
https://files.pythonhosted.org/packages/source/p/pycrypto/pycrypto-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gmp-devel
BuildRequires: python3-devel
commit python3-pycrypto for openSUSE:Factory
Hello community,
here is the log from the commit of package python3-pycrypto for
openSUSE:Factory checked in at 2015-10-26 12:48:41
Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old)
and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New)
Package is "python3-pycrypto"
Changes:
--- /work/SRC/openSUSE:Factory/python3-pycrypto/python3-pycrypto.changes
2014-12-22 12:53:12.0 +0100
+++ /work/SRC/openSUSE:Factory/.python3-pycrypto.new/python3-pycrypto.changes
2015-10-26 12:48:47.0 +0100
@@ -1,0 +2,6 @@
+Wed Oct 21 11:36:58 UTC 2015 - toddrme2...@gmail.com
+
+- Don't build with python3-buildservice-tweak.
+ The package detects the lack of randomness and aborts the build.
+
+---
Other differences:
--
++ python3-pycrypto.spec ++
--- /var/tmp/diff_new_pack.asmQcs/_old 2015-10-26 12:48:48.0 +0100
+++ /var/tmp/diff_new_pack.asmQcs/_new 2015-10-26 12:48:48.0 +0100
@@ -27,6 +27,7 @@
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gmp-devel
BuildRequires: python3-devel
+BuildConflicts: python3-buildservice-tweak
%description
The package contains:
commit python3-pycrypto for openSUSE:Factory
Hello community,
here is the log from the commit of package python3-pycrypto for
openSUSE:Factory checked in at 2014-12-22 12:54:30
Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old)
and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New)
Package is python3-pycrypto
Changes:
--- /work/SRC/openSUSE:Factory/python3-pycrypto/python3-pycrypto.changes
2013-06-20 16:59:20.0 +0200
+++ /work/SRC/openSUSE:Factory/.python3-pycrypto.new/python3-pycrypto.changes
2014-12-22 12:53:12.0 +0100
@@ -1,0 +2,13 @@
+Sun Dec 21 23:47:47 UTC 2014 - p.drou...@gmail.com
+
+- Remove useless make requirements
+- Remove repreciated python(abi) rependency
+- Remove unapplied ignore-fastmath-warning.diff
+
+---
+Thu Dec 18 18:30:25 UTC 2014 - a...@gmx.de
+
+- update to version 2.6.1:
+ * [CVE-2013-1445] Fix PRNG not correctly reseeded in some situations.
+
+---
Old:
ignore-fastmath-warning.diff
pycrypto-2.6.tar.gz
New:
pycrypto-2.6.1.tar.gz
Other differences:
--
++ python3-pycrypto.spec ++
--- /var/tmp/diff_new_pack.I43ryM/_old 2014-12-22 12:53:12.0 +0100
+++ /var/tmp/diff_new_pack.I43ryM/_new 2014-12-22 12:53:12.0 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python3-pycrypto
#
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: python3-pycrypto
-Version:2.6
+Version:2.6.1
Release:0
Url:http://www.pycrypto.org/
Summary:Cryptographic modules for Python
@@ -26,10 +26,7 @@
Source:
http://pypi.python.org/packages/source/p/pycrypto/pycrypto-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gmp-devel
-BuildRequires: python3
-BuildRequires: python3-2to3
BuildRequires: python3-devel
-Requires: python(abi) = %{py3_ver}
%description
The package contains:
++ pycrypto-2.6.tar.gz - pycrypto-2.6.1.tar.gz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pycrypto-2.6/ChangeLog new/pycrypto-2.6.1/ChangeLog
--- old/pycrypto-2.6/ChangeLog 2012-05-24 14:55:30.0 +0200
+++ new/pycrypto-2.6.1/ChangeLog2013-10-14 23:38:10.0 +0200
@@ -1,3 +1,55 @@
+2.6.1
+=
+ * [CVE-2013-1445] Fix PRNG not correctly reseeded in some situations.
+
+ In previous versions of PyCrypto, the Crypto.Random PRNG exhibits a
+ race condition that may cause forked processes to generate identical
+ sequences of 'random' numbers.
+
+ This is a fairly obscure bug that will (hopefully) not affect many
+ applications, but the failure scenario is pretty bad. Here is some
+ sample code that illustrates the problem:
+
+ from binascii import hexlify
+ import multiprocessing, pprint, time
+ import Crypto.Random
+
+ def task_main(arg):
+ a = Crypto.Random.get_random_bytes(8)
+ time.sleep(0.1)
+ b = Crypto.Random.get_random_bytes(8)
+ rdy, ack = arg
+ rdy.set()
+ ack.wait()
+ return %s,%s % (hexlify(a).decode(),
+ hexlify(b).decode())
+
+ n_procs = 4
+ manager = multiprocessing.Manager()
+ rdys = [manager.Event() for i in range(n_procs)]
+ acks = [manager.Event() for i in range(n_procs)]
+ Crypto.Random.get_random_bytes(1)
+ pool = multiprocessing.Pool(processes=n_procs,
+ initializer=Crypto.Random.atfork)
+ res_async = pool.map_async(task_main, zip(rdys, acks))
+ pool.close()
+ [rdy.wait() for rdy in rdys]
+ [ack.set() for ack in acks]
+ res = res_async.get()
+ pprint.pprint(sorted(res))
+ pool.join()
+
+ The output should be random, but it looked like this:
+
+ ['c607803ae01aa8c0,2e4de6457a304b34',
+ 'c607803ae01aa8c0,af80d08942b4c987',
+ 'c607803ae01aa8c0,b0e4c0853de927c4',
+ 'c607803ae01aa8c0,f0362585b3fceba4']
+
+ This release fixes the problem by resetting the rate-limiter when
+ Crypto.Random.atfork() is invoked. It also adds some tests and a
+
commit python3-pycrypto for openSUSE:Factory
Hello community, here is the log from the commit of package python3-pycrypto for openSUSE:Factory checked in at 2012-05-29 13:55:12 Comparing /work/SRC/openSUSE:Factory/python3-pycrypto (Old) and /work/SRC/openSUSE:Factory/.python3-pycrypto.new (New) Package is python3-pycrypto, Maintainer is Changes: New Changes file: NO CHANGES FILE!!! New: _link Other differences: -- ++ _link ++ link package=python-pycrypto cicount=copy / -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
