Huge flaw in Ubuntu Dapper’s Python Crypto Module

Posted on April 3rd, 2008 in Python.

This is rather serious. Consider this:

% dd if=/dev/zero of=data bs=1 count=2679
% sha256sum data
a25f4ccc56ddf88a4fb3e11baec5838c5181a496f376cdd569f8fc782f8fdcdf  data

A file of 2679 zeros and its SHA-256 hash. Nothing special.

Well, not exactly .. now look at the equivalent Python code:

$ python
Python 2.4.3 (#2, Oct  6 2006, 07:49:22)
[GCC 4.0.3 (Ubuntu 4.0.3-1ubuntu5)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from Crypto.Hash import SHA256
>>> data = open("data", "rb").read()
>>> print SHA256.new(data).hexdigest()
14a59554dba8be8ac9aa03eea67a026b3773eb674d22719123be41ca774319a3

Oops!

So it seems the Python Crypto module generates wrong SHA-256 hashes for files that have a size of (N*8)-1. But only for files of reasonable size.

We discovered this the hard way because we cache images based on their SHA256 hash. All cache entries with wrong hashes had this (N*8)-1 file size.

I’m not sure if this is just limited to the Ubuntu Dapper Drake / X64 install that we use. For the record, this is the package I’m talking about:

$ aptitude show python2.4-crypto
Package: python2.4-crypto
State: installed
Automatically installed: yes
Version: 2.0.1+dfsg1-1ubuntu1
Priority: optional
Section: python
Maintainer: Andreas Rottmann 
Uncompressed Size: 557k
Depends: libc6 (>= 2.3.4-1), libgmp3c2, python2.4
Description: cryptographic algorithms and protocols for Python
 A collection of cryptographic algorithms and protocols, implemented for use from Python.
  Among the contents of the package: 

    * Hash functions: MD2, MD4.
    * Block encryption algorithms: AES, ARC2, Blowfish, CAST, DES, Triple-DES.
    * Stream encryption algorithms: ARC4, simple XOR.
    * Public-key algorithms: RSA, DSA, ElGamal, qNEW.
    * Protocols: All-or-nothing transforms, chaffing/winnowing.
    * Miscellaneous: RFC1751 module for converting 128-key keys into a
      set of English words, primality testing.

This sure taught us a lesson. Never trust (crypto) code until you have unit tested it yourself.

I’m trying to figure out where to report this.

 

2 responses

  1. Marcus says:

    Added on April 3rd, 2008 at 5:43 pm

    Bug was found a couple of months ago, a patch is available

    https://bugs.launchpad.net/ubuntu/ source/python-crypto/ bug/191683

  2. Zooko says:

    Added on April 3rd, 2008 at 7:42 pm

    This bug was the last straw for why I started making my own Python wrappers for the Crypto library:

    http://allmydata.org/trac/pycryptopp

    pycrypto is basically unmaintained, and parts of it (such as its sha-256 implementation) were copied from libtomcrypt, which has poor quality control compared to Crypto . Specifically, Crypto comes with these things called “tests”, which check that its sha-256 implementation yields the same results as the published test vectors. If libtomcrypt or pycrypto had tests, then this bug (and its predecessors) would never have happened.

Leave a Reply

Bathroom and bathroom repair.
Tests Grade 5 No Membership Phentermine Description Of Phentermine Phentermine Hydrocloride Iv Tablets Discount Phentermine Blue Valium Paxil Phentermine A 159 Japan Phentermine Hydroxide Phentermine Info Phentermine Info Side Affects Of Tramadol 50mg Phentermine Hc1 Drug Safety Of Phentermine What Are Diazepam And Valium Didrex Phentermine Other Uses Of Phentermine 37.5 Pharmacy Phentermine Real Secure Ocd Tramadol Phentermine Xenical Phentermine 37 5 Consultation Phentermine Affects Metabolism Get Phentermine Ccbasket Phentermine Phentermine Used Effexor Drug Interactions With Viagra Viagra For Women Information From Onhealth Is Lorazepam The Same As Xanax Phentermine 30 Photos Discount Hepsera Soma Can You Mix Tramadol And Benedryl When Phentermine Stops Working Discount Bulk Viagra India 150mg Effexor Loss Weight What Does Tramadol Look Like Boards Googlepray Pharmacy Phentermine Phentermine Ionamin Generic Viagra Sold On Line Phentermine Chemistry Canadian Phentermine 37.5 Phentermine Fedex Overnight Shipping Tramadol Sales Lose Weight With Phentermine And 5-htp Generic Xanax Names Medication Tramadol Hcl Tramadol Mutual Vs Akyma Cialis Levitra Viagra Index Phentermine 37.5 Information Ultram Patient Information Instructions Tramadol Hcl De Cosite Link Tramadol Will Tramadol Fail Drug Screen 247 Phentermine Chloral Hydrate Tramadol Carisoprodol Domain Soma Rbcmail Ru Tramadol Dog Kidney Phentermine Effect On Bloodwork No Script Next Day Phentermine Phentermine Hcl Trusted Pharmacy Catalog On Line Pharmacy Hydrocodone False Positive Pcp Tramadol Fioricet And Prochlorper Wheight Loss With Phentermine And Synthroid Together Phentermine To Canada We Will Ship To Fl Tramadol Best Drugs Phentermine Cialis Viagra Levitra Phorum View Topic Tramadol Puchase Phentermines 30mg Tramadol Psychosis Phentermine Weight Loss Tramadol Apap37 5mg 325mg Can You Overdose On Tramadol Is Generic Viagra Safe Phentermine One Day Phentermine For Sale In Usa Tramadol And Ocd C O D Tramadol Shipping Phentermine And Gastrointestinal Disturbances Phentermine Without A Percription Which Is Better Viagra Or Levitra Fioricet Lexapro Herpes Fda Phentermine On Line Phentermine Pregnancy Health Health Viagra Viagra Woman Woman Doctors That Prescribe Phentermine Tramadol Overnight Delivery Cod Delivery Tramadol And Throat Tramadol And Cash On Delivery Tramadol Hdl Acetaminophen Tramadol Hcl Acetaminophen Take Vicodin Tramadol 500mg Information New Tramadol Tramadol Ampules Celebrex Vs Naproxen Tramadol Vs Tramadol Hcl Ingredient Tramadol Phentermine Pharma Compare Levitra Viagra And Cialis Tramadol Recreational Drug Use Tramadol Drug Utilization Review No Presription Needed Phentermine Get Zyban For Less Money Phentermine With Herbal Phentermine Review Black Jack Marijuana Seeds Agcode Phentermine Tramadol Acute Toxicity In Animals Cod Sold Tramadol Urine Testing And Phentermine 50mg Hcl Tab Tramadol India Phentermine Phentermine Hydrocodone Phentermine Causes Miscarriage I Think My Phentermine Is Fake Generic Prozac Effectiveness Estradiol On Line Pharmacy Phentermine Drug Information Cyp3a Grapefruit Drug Interaction Phentermine Hcl Medication Tramadol Phentermine Cp Tramadol Canada Noc Phentermine No Doctors Tramadol Naproxen Phentermine And Phentermine Hcl Genertic Phentermine Side Effects Of Tramadol Long Term Xanax What Is Better Viagra Or Levitra Phentermine By Adipex Tramadol 10mg Can Tramadol Be Given With Aspirin What Is Phentermine Hcl Tramadol Nasal Subs Exp_pharms_tramadol Side Effects Of Tramadol In Cats Long Term Affects Phentermine Nj Doctors That Prescribe Phentermine Seratonin Syndrome Phentermine C O D Phentermine Generic Viagra Generic Meltabs Viagra Phentermine Cod"s Accepted Viagra From Indiana Pharmacy Tramadol Hcl-acetaminophen Car Taking Klonopin After Xanax Phentermine Purchase Phentermine And Save Indice Tramadol Antidepressant Yellow Phentermine Most Popular Information About Tramadol Better Results Break Phentermine Half Is Generic Viagra From India Safe Phentermine Los Angeles Generic Paxil Launch Viagra Levitra And Cialis Phentermine 37.5 No Denials Phentermine Ship Overnight Sildenafil Citrate Suspension Stability Patent Estate Sale Viagra Ambien Interaction Oxycodone Pharmacy Search Soma Carisoprodol Usa Phentermine Pharmacy Actos Actos Phentermine Diflucan Cialis Genuinerx Net Viagra Viagra When Does Phentermine Sart To Work Phentermine Effective Paxil Insurance Difference Between Propecia And Generic Finasteride Dogs Tramadol Artritus Tramadol Hydrochloride Side Effect 5generic Sildenafil Citrate Work Phentermine Imitrex Compare Dosage Viagra And Levitra Lorazepam Xanax Tramadol Dogs Pain Phentermine Overnight No Rx Fioricet Picture 1 50mg Tramadol Collegehumor Picture Viagra For Women Citrate Salt Of Sildenafil Paxil Law Suit Settlements Phentermine Hydrochloride 37.5 Mg Viagra Alternative Review Phentermine Increase Efficacy Antidepressant Phentermine New Jersey Senior Discount Viagra Is Phentermine Hcl 30mg Safe Tramadol Cod Saturday Delivery Generic Generic Viagra Tadalafil Canadian Tramadol Herbal Viagra Replacements Delivery Phentermine Phentermine Mobile Alabama Purchase Phentermine Cod Information About Phentermine Hydrochloride Phentermine Tenuate Vs Tramadol And Effects From Celexa Viewing A Thread Phentermine And Antidepressants Ultam Tramadol Purchase Phentermine Overnight Shipping Phentermine Effect Drug Test Mexico Pharmacies Phentermine Phentermine Side Effects A Perfect Casino 5is There A Generic Sildenafil Citrate Fioricet Watson Canada Cialis Levitra Senical Hgh Phentermine Quit Smoking Detox Cialis Dish Levitra Viagra Visit Zyban Comment Keyword Phentermine Purchase Phentermine Men Diet Growth Hormone Phentermine Phentreminem Phntramine Female Viagra Patch Flushed Feeling And Tramadol Phentermine Uk Supplier Laurushealth Com Drugsguide Tramadol Html Phentermine All Pharmacies Next Day Shipping Phentermine Does Phentermine Speed Up Metabolism Tramadol Sale Aciphex Nexium Phentermine Pravachol Viagra Nasal Sprays Herbal Phentermine Side Effects Nextday Tramadol 180 Finax Generic Propecia Drug Facts Phentermine 37.5 Mg Without Primary Docter Overseas Tramadol Is Tramadol A Narc Phentermine Taiwan A Description Of Pharmacy Phentermine Overview Phentermine Deliver Uk Valtrex Tramadol Erectile Dysfunction Ed Phentermine Hcl 30mg An Effective Natural Alternative To Viagra Other Names For Phentermine Effects Of Tramadol On Dogs Phentermine Boards Vardenafil Sildenafil Citrate Drugs Tramadol Ultram What Is Tramadol Addicted To Tramadol Tramadol 5mg Cannot Ejaculate On Tramadol Topical Viagra For Women Tramadol Fedex Cod Sibutramine Generic Meridia Side Effects Of Tramadol In Pets Phentermine Claritin D Hr Overnight Shipping Phentermine Phentermine Message Board Ezboard Com Nevada Based Phentermine Overnight Viagra Contra Cialis Experience Snort Tramadol California Discount Pharmacy Tramadol Seizures Tramadol Va Regulations Viagra Opendiary Com Phentermine Post Ky Pharmacy Phentermine Shipping Being Called Drug Female New Viagra Taking Viagra With Tramadol 888 557 1872 Tramadol Cod Phentermine Hydrochloride 37.5 Compare Pharmacies For Phentermine Tramadol Is Prescribed For Clorhidrato De Tramadol Tramadol Discount Codes Phentermine Blue No Script Side Effects Tramadol Trusted Pharmacy Catalog Tramadol Euphoria Effects Andnot Pharmacy Phentermine Pim Loss Adipex Phentermine Phentermine Shipped With 10 Business Days Tramadol Street Value Tramadol With Cash On Delivery Recreational Use Of Tramadol Phentermine In Stock Now Sildenafil Pulmonary Hypertension Nitrates Tramadol And Acetaminophen Tramadol Codeine Allergy Tramadol Adverse Affects Phentermine Great Search Luxury Hotel Rome Discount Phentermine Taking Tramadol With Methadone Same Day Shipping Phentermine Female Viagra Christmas Discounts Tramadol Serpents Information Female Viagra Spray Tramadol Worse Phentermine And Exercise Tramadol Next Day Delivery Tramadol Supply Cod 4.33 Phentermine Purchase