I reviewed pycryptodome version 3.4.7-1 as checked into bionic. This is not a full security audit, but rather a quick gauge of maintainability. I especially did not investigate if the implementations are properly constant-timed, free from leaks, implemented correctly, or suitable for purpose.
One CVE against pycryptodome: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6594.html Currently unfixed in our packaging. This flaw is shared with python-crypto which is currently also unfixed. (While we rated it 'Medium', 'Low' might also be appropriate.) The fix wasn't exactly quick but the author and interested community members had a professional discussion of the issue. - pycryptodome is python-crypto brought back to life - Build-Depends: dh-python, python-setuptools, python3-setuptools, python-all-dev, python3-all-dev, debhelper, python3-sphinx, python3-sphinx-rtd-theme - Does not daemonize - pre/post inst/rm scripts are automatically generated - No systemd unit files - No DBus services - No setuid files - No binaries in PATH - No sudo fragments - No udev rules - Large test suite run during the build, not inspected closely - No cronjobs - dpkg emits some warnings: dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Provides} dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Versions} dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Provides} dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Versions} dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Provides} dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Versions} dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Provides} dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Versions} - No subprocesses spawned - Memory management looked careful - No file IO - No environment variables - No privileged functions - Extensive cryptography - No networking - No privileged portions of code - No temporary files - No WebKit - No Javascript - No policykit - clean cppcheck The code has extensive references in the comments throughout, errors are checked, there's a lot of tests. Security team ACK for promoting pycryptodome to main. Thanks ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6594 ** Changed in: pycryptodome (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1748572 Title: [MIR] pysmi, pycryptodome To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pycryptodome/+bug/1748572/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
