Bug 809267 (CVE-2012-3458) - CVE-2012-3458 python-beaker: weak use of crypto can leak information to remote attackers
Summary: CVE-2012-3458 python-beaker: weak use of crypto can leak information to remot...
Alias: CVE-2012-3458
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 847898
Blocks: 826710
TreeView+ depends on / blocked
Reported: 2012-04-02 22:28 UTC by Vincent Danen
Modified: 2021-02-24 12:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:58:26 UTC

Attachments (Terms of Use)

Description Vincent Danen 2012-04-02 22:28:46 UTC
It was discovered that python-beaker, a library for web applications, used weak cryptography with its encryption backend.  The encryption backend can use one of several backends, including python-crypto.  With the default parameters, when python-crypto is used, it will use ECB cipher mode, and any two 16-byte-aligned plaintext blocks with the same contents will be encrypted into the same ciphertext blocks at the corresponding positions.  An attacker able to guess the structure of a part of the session data, and influence contents of some data, could use this to check whether other parts of the session have a specific value.

When python-beaker uses other encryption backends, such as pycryptopp, it uses the CTR cipher mode rather than ECB, which does not have this vulnerability.

In Red Hat Enterprise Linux 6, python-beaker does not support or use python-crypto, and is not vulnerable to this flaw.

In current Fedora releases, python-beaker can use both backends, but prefers pycryptopp (and the package Requires it), and is not vulnerable to this flaw.


Not vulnerable. This issue did not affect the versions of python-beaker as shipped with Red Hat Enterprise Linux 6 as it did not include support for using python-crypto.

Comment 7 Vincent Danen 2012-08-13 23:26:43 UTC
This is now public:


Probably also want this patch as well (to prefer nsscrypto over pycrypto):


Comment 8 Vincent Danen 2012-08-13 23:29:25 UTC
Created python-beaker tracking bugs for this issue

Affects: epel-5 [bug 847898]

Note You need to log in before you can comment on or make changes to this bug.