[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Duplicity-talk] CTR mode needs counter parameter, not IV
From: |
zeug |
Subject: |
[Duplicity-talk] CTR mode needs counter parameter, not IV |
Date: |
Tue, 24 Jan 2017 19:25:12 +0100 |
I've tracked the problem down to (unpublished) CVE-2013-7459 dealing with a bug
in pycrypto:
Heap-buffer overflow in ALGobject structure
https://access.redhat.com/security/cve/cve-2013-7459
It has already been fixed on Gentoo (and other distros) by the following patch:
https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-python/pycrypto/files/pycrypto-2.6.1-CVE-2013-7459.patch
Apparently, duplicity needs some modifications as well since pycrypto will most
likely apply this patch in the near future.
For now, the workaround on Gentoo is a simple rollback to pycrypto-2.6.1-r1
which does not yet contain the patch.