In PyCrypto before v2.6.1, the Crypto.Random PRNG exhibits a race condition that may cause it to generate the same 'random' output in multiple processes that are forked from each other. Depending on the application, this could reveal sensitive information or cryptographic keys to remote attackers. An application may be affected if, within 100 milliseconds, it performs the following steps (which may be summarized as "read-fork-read-read"): 1. Read from the Crypto.Random PRNG, causing an internal reseed; 2. Fork the process and invoke Crypto.Random.atfork() in the child; 3. Read from the Crypto.Random PRNG again, in at least two different processes (parent and child, or multiple children). Only applications that invoke Crypto.Random.atfork() and perform the above steps are affected by this issue. Other applications are unaffected. git repo: https://github.com/dlitz/pycrypto/ v2.6.1 tag id: ebb470d3f0982702e3e9b7fb9ebdaeed95903aaf v2.6.1 commit id: 7fd528d03b5eae58eef6fd219af5d9ac9c83fa50 References: http://seclists.org/oss-sec/2013/q4/122
Created python-crypto tracking bugs for this issue: Affects: fedora-all [bug 1020818] Affects: epel-5 [bug 1020819]
python-crypto-2.6.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-crypto-2.6.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
python-crypto-2.6.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This is now fixed in all current Fedora releases; EPEL-5 is not affected and no update has been issued.
Upstream commit: https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175
Statement: Not Vulnerable. This issue does not affect the version of python-crypto package as shipped with Red Hat Enterprise Linux 6.