[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
This bug was fixed in the package python-scrypt - 0.8.0-0.3ubuntu2 --- python-scrypt (0.8.0-0.3ubuntu2) groovy; urgency=medium [ Corey Bryant ] * d/gbp.conf: Update gbp configuration file. * d/control: Update Vcs-* links and maintainers. [ Chris MacNaughton ] * d/p/add-missing-rfc-test-vector.patch: Apply patch to enable additional test vectors from the scrypt RFC (LP: #1695899). * d/rules: Enable DEB_BUILD_MAINT_OPTIONS hardening at build time (LP: #1695899). -- Chris MacNaughton Tue, 08 Sep 2020 13:06:52 + ** Changed in: python-scrypt (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
** Changed in: python-scrypt (Ubuntu) Assignee: James Page (james-page) => Chris MacNaughton (chris.macnaughton) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
** Merge proposal linked: https://code.launchpad.net/~chris.macnaughton/ubuntu/+source/python-scrypt/+git/python-scrypt/+merge/390400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
James, This hasn't been addressed yet (fixing BINDNOW and tests as per Tyler's comment in comment #4). Please fix ASAP. ** Changed in: python-scrypt (Ubuntu) Importance: High => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
leaving scrypt task open and assigning to James based on Tyler's feedback ** Changed in: python-scrypt (Ubuntu) Status: New => Triaged ** Changed in: python-scrypt (Ubuntu) Assignee: (unassigned) => James Page (james-page) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
Override component to main python-bcrypt 3.1.3-0ubuntu1 in artful amd64: universe/python/extra/100% -> main python-bcrypt 3.1.3-0ubuntu1 in artful arm64: universe/python/extra/100% -> main python-bcrypt 3.1.3-0ubuntu1 in artful armhf: universe/python/extra/100% -> main python-bcrypt 3.1.3-0ubuntu1 in artful i386: universe/python/extra/100% -> main python-bcrypt 3.1.3-0ubuntu1 in artful ppc64el: universe/python/extra/100% -> main python-bcrypt 3.1.3-0ubuntu1 in artful s390x: universe/python/extra/100% -> main python-scrypt 0.8.0-0ubuntu1 in artful amd64: universe/python/optional/100% -> main python-scrypt 0.8.0-0ubuntu1 in artful arm64: universe/python/optional/100% -> main python-scrypt 0.8.0-0ubuntu1 in artful armhf: universe/python/optional/100% -> main python-scrypt 0.8.0-0ubuntu1 in artful i386: universe/python/optional/100% -> main python-scrypt 0.8.0-0ubuntu1 in artful ppc64el: universe/python/optional/100% -> main python-scrypt 0.8.0-0ubuntu1 in artful s390x: universe/python/optional/100% -> main 12 publications overridden. ** Changed in: python-bcrypt (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
Hello! This is a very accelerated security review of python-bcrypt. I didn't look at the bcrypt implementation itself but did verify that the test vectors used have overlap with Openwall's crypt_blowfish test vectors: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/wrapper.c?rev=HEAD I've also previously reviewed python-bcrypt here: https://bugs.launchpad.net/ubuntu/+source/python- bcrypt/+bug/1427861/comments/1 Considering that I've previously reviewed the project, the test vectors are now more aligned with Openwall's test vectors, and the fact that this package was not a large maintenance burden while it was previously in main, Security Team ack for python-bcrypt. ** Changed in: python-bcrypt (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: python-scrypt (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
Hello! This is a very accelerated security review of python-scrypt. I didn't look at the scrypt implementation itself but did have a quick look at a few important areas of the project. 1) crypto_entropy_read() eventually calls entropy_read() which directly reads from /dev/urandom. New code that needs to fetch random data should be using the getrandom(2) syscall available in 3.17 and newer kernels. The main downside of entropy_read()'s implementation is that it can't detect if the urandom pool has not yet been initialized. It would be nice if the function were converted to use getrandom(2) when it is available. 2) It is great to see that tests/hashvectors.csv is inspired by the test vectors found in rfc7914: https://tools.ietf.org/html/rfc7914#section-12 However, it only includes three of the four test vectors. It would be nice if hashvectors.csv could be updated to include the scrypt(P="pleaseletmein", S="SodiumChloride", N=1048576, r=8, p=1, dkLen=64) vector. 3) It is strongly recommended that BINDNOW hardening be enabled at build time. Security team ack for pre-promotion but I'm requesting that you fix #2 and #3 ASAP (before 17.10 is released). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
Since Tyler mentioned it requires a review anyway, assigning to the Security Team. python-bcrypt has lintian warnings on the binary package: W: python3-bcrypt: python-module-in-wrong-location usr/lib/python3.6/dist-packages/bcrypt/ usr/lib/python3/dist-packages/bcrypt/ W: python3-bcrypt: python-module-in-wrong-location usr/lib/python3.6/dist-packages/bcrypt/_bcrypt.abi3.so usr/lib/python3/dist-packages/bcrypt/_bcrypt.abi3.so (These should be fixed) There are also some warnings about missing bindnow for python-scrypt and python3-scrypt; they might benefit being fixed, the Security Team can further comment on that. ** Changed in: python-scrypt (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) ** Changed in: python-bcrypt (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
I was hoping that I could quickly ack, from a security review standpoint, python-bcrypt since I already acked it in bug 1427861. However, the project has significantly changed since that review. The bcrypt backend has changed from Openwall's implementation to OpenBSD's implementation. Test vectors have also changed. I don't think this package will require a really close look but it is going to require a closer look than what I had anticipated. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
python-bcrypt has main history under MIR bug 1427861 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
python-bcrypt has main history under MIR bug 1427861 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-bcrypt in Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
** Tags added: openstack-mir -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
** Summary changed: - [MIR] scrypt, bcrypt + [MIR] python-scrypt, python-bcrypt ** Package changed: bcrypt (Ubuntu) => python-bcrypt (Ubuntu) ** Package changed: scrypt (Ubuntu) => python-scrypt (Ubuntu) ** Description changed: - >scrypt< + >python-scrypt< [Availability] In universe [Rationale] keystone: Support new hashing algorithms for securely storing password hashes [Security] [Quality assurance] Package has not been well maintained in Debian; Python 3 support and new upstream release + misc package polish applied in Ubuntu. Package runs test suite for all python versions as part of build. [Dependencies] In main. [Standards compliance] OK [Maintenance] ubuntu-openstack - >bcrypt< + >python-bcrypt< [Availability] In universe [Rationale] keystone: Support new hashing algorithms for securely storing password hashes [Security] [Quality assurance] Package well maintained in Debian; Minor point release in Ubuntu over Debian unstable. Package runs test suite for all python versions as part of build. [Dependencies] In main. [Standards compliance] OK [Maintenance] ubuntu-openstack -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to python-bcrypt in Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1695899] Re: [MIR] python-scrypt, python-bcrypt
** Summary changed: - [MIR] scrypt, bcrypt + [MIR] python-scrypt, python-bcrypt ** Package changed: bcrypt (Ubuntu) => python-bcrypt (Ubuntu) ** Package changed: scrypt (Ubuntu) => python-scrypt (Ubuntu) ** Description changed: - >scrypt< + >python-scrypt< [Availability] In universe [Rationale] keystone: Support new hashing algorithms for securely storing password hashes [Security] [Quality assurance] Package has not been well maintained in Debian; Python 3 support and new upstream release + misc package polish applied in Ubuntu. Package runs test suite for all python versions as part of build. [Dependencies] In main. [Standards compliance] OK [Maintenance] ubuntu-openstack - >bcrypt< + >python-bcrypt< [Availability] In universe [Rationale] keystone: Support new hashing algorithms for securely storing password hashes [Security] [Quality assurance] Package well maintained in Debian; Minor point release in Ubuntu over Debian unstable. Package runs test suite for all python versions as part of build. [Dependencies] In main. [Standards compliance] OK [Maintenance] ubuntu-openstack -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1695899 Title: [MIR] python-scrypt, python-bcrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-bcrypt/+bug/1695899/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs