Bug 809267 - (CVE-2012-3458) CVE-2012-3458 python-beaker: weak use of crypto can leak information to remote attackers
CVE-2012-3458 python-beaker: weak use of crypto can leak information to remot...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 847898
Blocks: 826710
  Show dependency treegraph
Reported: 2012-04-02 18:28 EDT by Vincent Danen
Modified: 2012-08-13 19:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-04-02 18:28:46 EDT
It was discovered that python-beaker, a library for web applications, used weak cryptography with its encryption backend.  The encryption backend can use one of several backends, including python-crypto.  With the default parameters, when python-crypto is used, it will use ECB cipher mode, and any two 16-byte-aligned plaintext blocks with the same contents will be encrypted into the same ciphertext blocks at the corresponding positions.  An attacker able to guess the structure of a part of the session data, and influence contents of some data, could use this to check whether other parts of the session have a specific value.

When python-beaker uses other encryption backends, such as pycryptopp, it uses the CTR cipher mode rather than ECB, which does not have this vulnerability.

In Red Hat Enterprise Linux 6, python-beaker does not support or use python-crypto, and is not vulnerable to this flaw.

In current Fedora releases, python-beaker can use both backends, but prefers pycryptopp (and the package Requires it), and is not vulnerable to this flaw.


Not vulnerable. This issue did not affect the versions of python-beaker as shipped with Red Hat Enterprise Linux 6 as it did not include support for using python-crypto.
Comment 7 Vincent Danen 2012-08-13 19:26:43 EDT
This is now public:


Probably also want this patch as well (to prefer nsscrypto over pycrypto):

Comment 8 Vincent Danen 2012-08-13 19:29:25 EDT
Created python-beaker tracking bugs for this issue

Affects: epel-5 [bug 847898]

Note You need to log in before you can comment on or make changes to this bug.