Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove requirement for PyCrypto #50

Open
ralphje opened this issue May 19, 2020 · 1 comment
Open

Remove requirement for PyCrypto #50

ralphje opened this issue May 19, 2020 · 1 comment

Comments

@ralphje
Copy link

ralphje commented May 19, 2020

pycrypto is no longer maintained and should not be used anymore. An alternative library is pycryptodome, which provides an alternative that is still maintained and suitable for the purposes of this library.

However, note that some functions, such as XOR, are no longer available in pycryptodome, so those should be replaced by something like bytes([a ^ b for a, b in zip(itertools.cycle(key), data)])

There is currently a security vulnerability in pycrypto, so changing this is essential:

╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ pycrypto                   │ 2.6.1     │ <=2.6.1                  │ 35015    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ Heap-based buffer overflow in the ALGnew function in block_templace.c in     │
│ Python Cryptography Toolkit (aka pycrypto) 2.6.1 allows remote attackers to  │
│ execute arbitrary code as demonstrated by a crafted iv parameter to          │
│ cryptmsg.py.                                                                 │
╘══════════════════════════════════════════════════════════════════════════════╛
@kevthehermit
Copy link
Owner

Thansk, will take a look and start working through them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants