Bug 1020814 (CVE-2013-1445) - CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations
Summary: CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-1445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1020818 1020819
Blocks: 1020831
TreeView+ depends on / blocked
 
Reported: 2013-10-18 10:43 UTC by Ratul Gupta
Modified: 2019-09-29 13:09 UTC (History)
4 users (show)

Fixed In Version: python-crypto 2.6.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-26 04:47:48 UTC


Attachments (Terms of Use)

Description Ratul Gupta 2013-10-18 10:43:58 UTC
In PyCrypto before v2.6.1, the Crypto.Random PRNG exhibits a race condition that may cause it to generate the same 'random' output in multiple processes that are forked from each other. Depending on the application, this could reveal sensitive information or cryptographic keys to remote attackers.

An application may be affected if, within 100 milliseconds, it performs the following steps (which may be summarized as "read-fork-read-read"):

1. Read from the Crypto.Random PRNG, causing an internal reseed;
2. Fork the process and invoke Crypto.Random.atfork() in the child;
3. Read from the Crypto.Random PRNG again, in at least two different processes (parent and child, or multiple children).

Only applications that invoke Crypto.Random.atfork() and perform the above steps are affected by this issue.  Other applications are unaffected.

git repo: https://github.com/dlitz/pycrypto/
v2.6.1 tag id: ebb470d3f0982702e3e9b7fb9ebdaeed95903aaf
v2.6.1 commit id: 7fd528d03b5eae58eef6fd219af5d9ac9c83fa50

References:
http://seclists.org/oss-sec/2013/q4/122

Comment 2 Ratul Gupta 2013-10-18 10:46:35 UTC
Created python-crypto tracking bugs for this issue:

Affects: fedora-all [bug 1020818]
Affects: epel-5 [bug 1020819]

Comment 4 Fedora Update System 2013-10-27 03:57:49 UTC
python-crypto-2.6.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2013-10-27 04:01:29 UTC
python-crypto-2.6.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2013-10-27 05:30:56 UTC
python-crypto-2.6.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-10-27 05:35:12 UTC
python-crypto-2.6.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-11-10 07:05:47 UTC
python-crypto-2.6.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Paul Howarth 2013-11-10 10:35:13 UTC
This is now fixed in all current Fedora releases; EPEL-5 is not affected and no update has been issued.

Comment 10 Huzaifa S. Sidhpurwala 2013-11-26 04:45:14 UTC
Upstream commit:

https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175

Comment 11 Huzaifa S. Sidhpurwala 2013-11-26 04:47:48 UTC
Statement:

Not Vulnerable. This issue does not affect the version of python-crypto package as shipped with Red Hat Enterprise Linux 6.


Note You need to log in before you can comment on or make changes to this bug.