[Bug 1748572] Re: [MIR] pysmi, pycryptodome
Seth Arnold
1748572 at bugs.launchpad.net
Fri Mar 30 03:24:12 UTC 2018
I reviewed pycryptodome version 3.4.7-1 as checked into bionic. This is
not a full security audit, but rather a quick gauge of maintainability. I
especially did not investigate if the implementations are properly
constant-timed, free from leaks, implemented correctly, or suitable for
purpose.
One CVE against pycryptodome:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6594.html
Currently unfixed in our packaging. This flaw is shared with python-crypto
which is currently also unfixed. (While we rated it 'Medium', 'Low' might
also be appropriate.)
The fix wasn't exactly quick but the author and interested community
members had a professional discussion of the issue.
- pycryptodome is python-crypto brought back to life
- Build-Depends: dh-python, python-setuptools, python3-setuptools,
python-all-dev, python3-all-dev, debhelper, python3-sphinx,
python3-sphinx-rtd-theme
- Does not daemonize
- pre/post inst/rm scripts are automatically generated
- No systemd unit files
- No DBus services
- No setuid files
- No binaries in PATH
- No sudo fragments
- No udev rules
- Large test suite run during the build, not inspected closely
- No cronjobs
- dpkg emits some warnings:
dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Provides}
dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Versions}
dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Provides}
dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Versions}
dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Provides}
dpkg-gencontrol: warning: package python-pycryptodome: unused substitution variable ${python:Versions}
dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Provides}
dpkg-gencontrol: warning: package python3-pycryptodome: unused substitution variable ${python3:Versions}
- No subprocesses spawned
- Memory management looked careful
- No file IO
- No environment variables
- No privileged functions
- Extensive cryptography
- No networking
- No privileged portions of code
- No temporary files
- No WebKit
- No Javascript
- No policykit
- clean cppcheck
The code has extensive references in the comments throughout, errors are
checked, there's a lot of tests.
Security team ACK for promoting pycryptodome to main.
Thanks
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6594
** Changed in: pycryptodome (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to pysmi in Ubuntu.
https://bugs.launchpad.net/bugs/1748572
Title:
[MIR] pysmi, pycryptodome
Status in pycryptodome package in Ubuntu:
New
Status in pysmi package in Ubuntu:
New
Bug description:
[Rationale]
The new version of python-pysnmp4 adds dependencies on python-
pycryptodome and python-pysmi, so these need to be MIRed.
>> pysmi <<
[Availability]
In universe
[Security]
No history: http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pysmi
[Quality assurance]
Package executes unit tests during package build.
[Dependencies]
All in main.
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
>> pycryptodome <<
[Availability]
In universe
[Security]
No history: http://www.cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pycryptodome
[Quality assurance]
Package executes unit tests during package build.
[Dependencies]
All in main.
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
[Background]
PyCryptodome is a fork of PyCrypto
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pycryptodome/+bug/1748572/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list