#1586 closed defect (somebody else's problem)
"PowmInsecureWarning: Not using mpz_powm_sec" warning from PyCrypto
Reported by: | davidsarah | Owned by: | somebody |
---|---|---|---|
Priority: | normal | Milestone: | eventually |
Component: | packaging | Version: | 1.9.0b1 |
Keywords: | pycrypto-lib libgmp security sftp | Cc: | |
Launchpad Bug: |
Description (last modified by zooko)
This warning occurs when importing PyCrypto 2.4.1 (possibly depending on how the PyCrypto egg for the current platform was built):
/usr/local/lib/python2.6/dist-packages/pycrypto-2.4.1-py2.6-linux-x86_64.egg/Crypto/Util/number.py:57: PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.
We probably just need to accelerate the programme to get rid of our dependency (via Twisted) on PyCrypto: http://twistedmatrix.com/trac/ticket/4633
Change History (10)
comment:1 Changed at 2011-11-17T22:52:27Z by davidsarah
- Description modified (diff)
comment:2 Changed at 2012-04-01T04:36:31Z by davidsarah
- Milestone changed from undecided to eventually
- Priority changed from minor to normal
comment:3 Changed at 2012-05-14T04:10:34Z by david-sarah@…
comment:4 Changed at 2012-05-14T14:53:56Z by david-sarah <david-sarah@…>
In 4b80299fddd7ece4:
comment:5 Changed at 2012-05-14T21:40:43Z by david-sarah@…
comment:6 Changed at 2012-05-15T15:59:54Z by zooko
I reviewed 4b80299fddd7ece4 and saw no problem with it.
comment:7 Changed at 2013-10-10T19:25:47Z by zooko
- Description modified (diff)
- Resolution set to fixed
- Status changed from new to closed
This was apparently fixed by the warning-suppression patch [4b80299fddd7ece4].
comment:8 Changed at 2013-10-17T14:43:19Z by daira
- Resolution fixed deleted
- Status changed from closed to reopened
Well, the potential timing vulnerability is not fixed. (It affects only the SFTP frontend, and is documented at SftpFrontend, which I just updated to reflect that PyCrypto 2.4.1 is still vulnerable.)
As the message clearly says, someone "should rebuild [PyCrypto] using libgmp >= 5". Reopening in order to close as "somebody else's problem".
comment:9 Changed at 2013-10-17T14:43:51Z by daira
- Keywords libgmp security sftp added
- Resolution set to somebody else's problem
- Status changed from reopened to closed
comment:10 Changed at 2013-10-17T14:54:30Z by daira
Actually, maybe this is partly our problem after all, since we build the PyCrypto eggs that are hosted at https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-dep-eggs. Filed as #2094.
In 4b80299fddd7ece4: