Bug 1542313 (CVE-2018-6594) - CVE-2018-6594 python-crypto: Weak ElGamal key parameters in PublicKey/ElGamal.py allow attackers to obtain sensitive information by reading ciphertext
Summary: CVE-2018-6594 python-crypto: Weak ElGamal key parameters in PublicKey/ElGamal...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-6594
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1542314 1542315 1542316 1543114 1543115 1543116
Blocks: 1542317
TreeView+ depends on / blocked
 
Reported: 2018-02-06 05:15 UTC by Sam Fowler
Modified: 2021-12-07 19:33 UTC (History)
49 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-21 03:49:34 UTC
Embargoed:


Attachments (Terms of Use)

Description Sam Fowler 2018-02-06 05:15:01 UTC
lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack).


External References:

https://github.com/TElgamal/attack-on-pycrypto-elgamal
https://github.com/Legrandin/pycryptodome/issues/90

Upstream Issue:

https://github.com/dlitz/pycrypto/issues/253

Comment 1 Sam Fowler 2018-02-06 05:15:49 UTC
Created python-crypto tracking bugs for this issue:

Affects: epel-all [bug 1542315]
Affects: fedora-all [bug 1542314]

Comment 5 Joshua Padman 2018-02-09 03:54:13 UTC
The Red Hat OpenStack packages that use functionality from the python-crypto libraries do not use the ElGamal functionality. Whilst the python-crypto code shipped is vulnerable, the vulnerable functionality is not used. Therefore, the Red Hat OpenStack python-crypto package will not be fixed at this stage.

Comment 10 Product Security DevOps Team 2020-02-21 03:49:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-6594


Note You need to log in before you can comment on or make changes to this bug.