Bug 1020814 - (CVE-2013-1445) CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations
CVE-2013-1445 python-crypto: PRNG not correctly reseeded in some situations
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131017,reported=2...
: Security
Depends On: 1020818 1020819
Blocks: 1020831
  Show dependency treegraph
 
Reported: 2013-10-18 06:43 EDT by Ratul Gupta
Modified: 2014-01-27 03:45 EST (History)
4 users (show)

See Also:
Fixed In Version: python-crypto 2.6.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-25 23:47:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ratul Gupta 2013-10-18 06:43:58 EDT
In PyCrypto before v2.6.1, the Crypto.Random PRNG exhibits a race condition that may cause it to generate the same 'random' output in multiple processes that are forked from each other. Depending on the application, this could reveal sensitive information or cryptographic keys to remote attackers.

An application may be affected if, within 100 milliseconds, it performs the following steps (which may be summarized as "read-fork-read-read"):

1. Read from the Crypto.Random PRNG, causing an internal reseed;
2. Fork the process and invoke Crypto.Random.atfork() in the child;
3. Read from the Crypto.Random PRNG again, in at least two different processes (parent and child, or multiple children).

Only applications that invoke Crypto.Random.atfork() and perform the above steps are affected by this issue.  Other applications are unaffected.

git repo: https://github.com/dlitz/pycrypto/
v2.6.1 tag id: ebb470d3f0982702e3e9b7fb9ebdaeed95903aaf
v2.6.1 commit id: 7fd528d03b5eae58eef6fd219af5d9ac9c83fa50

References:
http://seclists.org/oss-sec/2013/q4/122
Comment 2 Ratul Gupta 2013-10-18 06:46:35 EDT
Created python-crypto tracking bugs for this issue:

Affects: fedora-all [bug 1020818]
Affects: epel-5 [bug 1020819]
Comment 4 Fedora Update System 2013-10-26 23:57:49 EDT
python-crypto-2.6.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2013-10-27 00:01:29 EDT
python-crypto-2.6.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2013-10-27 01:30:56 EDT
python-crypto-2.6.1-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-10-27 01:35:12 EDT
python-crypto-2.6.1-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-11-10 02:05:47 EST
python-crypto-2.6.1-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Paul Howarth 2013-11-10 05:35:13 EST
This is now fixed in all current Fedora releases; EPEL-5 is not affected and no update has been issued.
Comment 10 Huzaifa S. Sidhpurwala 2013-11-25 23:45:14 EST
Upstream commit:

https://github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175
Comment 11 Huzaifa S. Sidhpurwala 2013-11-25 23:47:48 EST
Statement:

Not Vulnerable. This issue does not affect the version of python-crypto package as shipped with Red Hat Enterprise Linux 6.

Note You need to log in before you can comment on or make changes to this bug.