#2094 closed defect (somebody else's problem)

rebuild (if necessary) PyCrypto eggs to use libgmp >= 5, to mitigate RSA timing attack

Reported by: daira Owned by:
Priority: normal Milestone: undecided
Component: packaging Version: 1.10.0
Keywords: pycrypto-lib libgmp rsa security sftp packaging eggs packaging Cc:
Launchpad Bug:

Description

The PyCrypto eggs at https://tahoe-lafs.org/source/tahoe-lafs/deps/tahoe-dep-eggs/ may need to be rebuilt against libgmp >= 5 in order to mitigate a timing attack. I don't know what libgmp versions the eggs currently hosted there are built against. See also #1586, which suppressed the (mostly useless to end-users) warning about this.

Change History (5)

comment:1 Changed at 2014-09-07T17:23:36Z by daira

  • Keywords openitp-packaging added

comment:2 Changed at 2014-09-25T15:54:03Z by daira

  • Keywords openitp-packaging removed

comment:3 Changed at 2016-03-25T20:29:40Z by daira

Twisted 16.0.0 removed their dependency on PyCrypto.

Note that the cryptography library still uses the Python stdlib's pow function when gmpy is not installed, and so 'may' be vulnerable to the same timing attack. gmpy is no longer maintained; cryptography should probably switch to gmpy2 which has binary wheels.

Version 1, edited at 2016-03-25T20:29:54Z by daira (previous) (next) (diff)

comment:4 Changed at 2016-03-25T20:31:01Z by daira

  • Resolution set to somebody else's problem
  • Status changed from new to closed

comment:5 Changed at 2016-03-27T13:20:32Z by daira

The Twisted ticket to stop depending on gmpy is https://twistedmatrix.com/trac/ticket/8079.

Note: See TracTickets for help on using tickets.