- update to 2.6

PyCrypto before 2.6 does not produce appropriate prime numbers when using an ElGamal scheme to generate a key, which reduces the signature space or public key space and makes it easier for attackers to conduct brute force attacks to obtain the private key. PR: ports/169146 Approved by: portmgr
author: jgh <jgh@FreeBSD.org> 2012-06-26 00:06:47 +0800
committer: jgh <jgh@FreeBSD.org> 2012-06-26 00:06:47 +0800
commit: 85a094cb6ee90669deeacf4c6ae1409898651d32 (patch)
tree: 17b70db29961821c69117559cd169a664a8281af /security
parent: fa647bdb72b7f5432abc6da0def8ab261e128a56 (diff)
download: freebsd-ports-gnome-85a094cb6ee90669deeacf4c6ae1409898651d32.tar.gz
freebsd-ports-gnome-85a094cb6ee90669deeacf4c6ae1409898651d32.tar.zst
freebsd-ports-gnome-85a094cb6ee90669deeacf4c6ae1409898651d32.zip
4 files changed, 85 insertions, 17 deletions
diff --git a/security/py-pycrypto/Makefile b/security/py-pycrypto/Makefile
index bc5663c6ecf6..ffe760116d93 100644
--- a/security/py-pycrypto/Makefile
+++ b/security/py-pycrypto/Makefile
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	pycrypto
-PORTVERSION=	2.5
+PORTVERSION=	2.6
 CATEGORIES=	security python
 MASTER_SITES=	http://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
@@ -16,6 +16,7 @@ COMMENT=	The Python Cryptography Toolkit
 
 USE_PYTHON=	yes
 USE_PYDISTUTILS=yes
+
 HAS_CONFIGURE=	yes
 USE_AUTOTOOLS=	autoconf
 CPPFLAGS+=	-I${LOCALBASE}/include
diff --git a/security/py-pycrypto/distinfo b/security/py-pycrypto/distinfo
index c66add2f7011..d0923e24f979 100644
--- a/security/py-pycrypto/distinfo
+++ b/security/py-pycrypto/distinfo
@@ -1,2 +1,2 @@
-SHA256 (pycrypto-2.5.tar.gz) = e950a78184e2a7defccf5d45e0c29c1e9edeb29984433f0d110a21e9631e38de
-SIZE (pycrypto-2.5.tar.gz) = 426802
+SHA256 (pycrypto-2.6.tar.gz) = 7293c9d7e8af2e44a82f86eb9c3b058880f4bcc884bf3ad6c8a34b64986edde8
+SIZE (pycrypto-2.6.tar.gz) = 443445
diff --git a/security/py-pycrypto/pkg-plist b/security/py-pycrypto/pkg-plist
index fab301baab4e..da094a77bb94 100644
--- a/security/py-pycrypto/pkg-plist
+++ b/security/py-pycrypto/pkg-plist
@@ -1,20 +1,47 @@
-%%PYTHON_SITELIBDIR%%/Crypto/Cipher/AES.so
-%%PYTHON_SITELIBDIR%%/Crypto/Cipher/ARC2.so
-%%PYTHON_SITELIBDIR%%/Crypto/Cipher/ARC4.so
-%%PYTHON_SITELIBDIR%%/Crypto/Cipher/Blowfish.so
-%%PYTHON_SITELIBDIR%%/Crypto/Cipher/CAST.so
-%%PYTHON_SITELIBDIR%%/Crypto/Cipher/DES.so
-%%PYTHON_SITELIBDIR%%/Crypto/Cipher/DES3.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/AES.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/AES.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/AES.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/ARC2.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/ARC2.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/ARC2.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/ARC4.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/ARC4.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/ARC4.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/Blowfish.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/Blowfish.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/Blowfish.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/CAST.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/CAST.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/CAST.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/DES.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/DES.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/DES.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/DES3.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/DES3.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/DES3.pyo
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/PKCS1_OAEP.py
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/PKCS1_OAEP.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/PKCS1_OAEP.pyo
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/PKCS1_v1_5.py
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/PKCS1_v1_5.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/PKCS1_v1_5.pyo
-%%PYTHON_SITELIBDIR%%/Crypto/Cipher/XOR.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/XOR.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/XOR.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/XOR.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/_AES.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/_ARC2.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/_ARC4.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/_Blowfish.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/_CAST.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/_DES.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/_DES3.so
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/_XOR.so
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/__init__.py
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/__init__.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/Cipher/__init__.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/blockalgo.py
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/blockalgo.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Cipher/blockalgo.pyo
 %%PYTHON_SITELIBDIR%%/Crypto/Hash/HMAC.py
 %%PYTHON_SITELIBDIR%%/Crypto/Hash/HMAC.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/Hash/HMAC.pyo
@@ -55,6 +82,9 @@
 %%PYTHON_SITELIBDIR%%/Crypto/Hash/__init__.py
 %%PYTHON_SITELIBDIR%%/Crypto/Hash/__init__.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/Hash/__init__.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/Hash/hashalgo.py
+%%PYTHON_SITELIBDIR%%/Crypto/Hash/hashalgo.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/Hash/hashalgo.pyo
 %%PYTHON_SITELIBDIR%%/Crypto/Protocol/AllOrNothing.py
 %%PYTHON_SITELIBDIR%%/Crypto/Protocol/AllOrNothing.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/Protocol/AllOrNothing.pyo
@@ -92,9 +122,6 @@
 %%PYTHON_SITELIBDIR%%/Crypto/PublicKey/pubkey.py
 %%PYTHON_SITELIBDIR%%/Crypto/PublicKey/pubkey.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/PublicKey/pubkey.pyo
-%%PYTHON_SITELIBDIR%%/Crypto/PublicKey/qNEW.py
-%%PYTHON_SITELIBDIR%%/Crypto/PublicKey/qNEW.pyc
-%%PYTHON_SITELIBDIR%%/Crypto/PublicKey/qNEW.pyo
 %%PYTHON_SITELIBDIR%%/Crypto/Random/Fortuna/FortunaAccumulator.py
 %%PYTHON_SITELIBDIR%%/Crypto/Random/Fortuna/FortunaAccumulator.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/Random/Fortuna/FortunaAccumulator.pyo
@@ -224,6 +251,9 @@
 %%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_DSA.py
 %%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_DSA.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_DSA.pyo
+%%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_ElGamal.py
+%%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_ElGamal.pyc
+%%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_ElGamal.pyo
 %%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_RSA.py
 %%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_RSA.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/SelfTest/PublicKey/test_RSA.pyo
@@ -340,9 +370,6 @@
 %%PYTHON_SITELIBDIR%%/Crypto/Util/winrandom.py
 %%PYTHON_SITELIBDIR%%/Crypto/Util/winrandom.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/Util/winrandom.pyo
-%%PYTHON_SITELIBDIR%%/Crypto/Util/wrapper.py
-%%PYTHON_SITELIBDIR%%/Crypto/Util/wrapper.pyc
-%%PYTHON_SITELIBDIR%%/Crypto/Util/wrapper.pyo
 %%PYTHON_SITELIBDIR%%/Crypto/__init__.py
 %%PYTHON_SITELIBDIR%%/Crypto/__init__.pyc
 %%PYTHON_SITELIBDIR%%/Crypto/__init__.pyo
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index 88f86d8eb2c2..880b422c9c4f 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -52,6 +52,46 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="f45c0049-be72-11e1-a284-0023ae8e59f0">
+    <topic>pycrypto -- vulnerable ElGamal key generation</topic>
+    <affects>
+      <package>
+	<name>py-pycrypto</name>
+	<range><ge>2.5</ge><lt>2.6</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Dwayne C. Litzenberger of PyCrypto reports:</p>
+	<blockquote cite="http://lists.dlitz.net/pipermail/pycrypto/2012q2/000587.html">
+	  <p>In the ElGamal schemes (for both encryption and signatures), g is
+	     supposed to be the generator of the entire Z^*_p group.  However, in
+	     PyCrypto 2.5 and earlier, g is more simply the generator of a random
+	     sub-group of Z^*_p.</p>
+	  <p>The result is that the signature space (when the key is used for
+	     signing) or the public key space (when the key is used for encryption)
+	     may be greatly reduced from its expected size of log(p) bits, possibly
+	     down to 1 bit (the worst case if the order of g is 2).</p>
+	  <p>While it has not been confirmed, it has also been suggested that an
+	     attacker might be able to use this fact to determine the private key.</p>
+	  <p>Anyone using ElGamal keys should generate new keys as soon as
+	     practical.</p>
+	  <p>Any additional information about this bug will be tracked at
+	     https://bugs.launchpad.net/pycrypto/+bug/985164</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-2417</cvename>
+      <url>http://lists.dlitz.net/pipermail/pycrypto/2012q2/000587.html</url>
+      <url>https://bugs.launchpad.net/pycrypto/+bug/985164</url>
+    </references>
+    <dates>
+      <discovery>2012-05-24</discovery>
+      <entry>2012-06-24</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="f46c4c6a-ba25-11e1-806a-001143cd36d8">
     <topic>joomla -- Privilege Escalation</topic>
     <affects>
author	jgh <jgh@FreeBSD.org>	2012-06-26 00:06:47 +0800
committer	jgh <jgh@FreeBSD.org>	2012-06-26 00:06:47 +0800
commit	85a094cb6ee90669deeacf4c6ae1409898651d32 (patch)
tree	17b70db29961821c69117559cd169a664a8281af /security
parent	fa647bdb72b7f5432abc6da0def8ab261e128a56 (diff)
download	freebsd-ports-gnome-85a094cb6ee90669deeacf4c6ae1409898651d32.tar.gz freebsd-ports-gnome-85a094cb6ee90669deeacf4c6ae1409898651d32.tar.zst freebsd-ports-gnome-85a094cb6ee90669deeacf4c6ae1409898651d32.zip