WebFaction
Community site: login faq

I'm testing a Django installation with a virtualenv. In it I've pip installed fabric which uses pycrypto. This seems to throw some vulerability warnings:

/home/user/.../somedir/.../.virtualenvs/myvirtualenv/lib/python2.7/site-packages/Crypto/Util/number.py:57:

PowmInsecureWarning: Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.

_warn("Not using mpz_powm_sec. You should rebuild using libgmp >= 5 to avoid timing attack vulnerability.", PowmInsecureWarning)

What can I do to secure the installation against these potential attacks? Thank you

asked 25 Jan '13, 09:12

alphydan
5157
accept rate: 0%


You can build your own libgmp from its official sources in your home directory, then re-install pycrypto, linking against your locally-installed libgmp.

permanent link

answered 25 Jan '13, 18:37

seanf
12.2k41836
accept rate: 37%

@seanf, thanks for the reply. so from ~/ I did

wget ftp://ftp.gmplib.org/pub/gmp-5.1.0/gmp-5.1.0.tar.bz2
mv src
tar xvjf gmp-5.1.0.tar.bz2
cd gmp-5.1.0
./configure    
make
make install

which resulted in some good looking lines + some non-descriptive errors,

libtool: link: `gcdext.lo' is not a valid libtool object
make[2]: *** [libmpn.la] Error 1
make[2]: Leaving directory `/home/username/src/gmp-5.1.0/mpn'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/username/src/gmp-5.1.0'
make: *** [all] Error 2

How does one

"link[..] against your locally-installed libgmp."?

I tried to just pip uninstall and pip install pycypto but that doesn't seem to be it (and doesn't do the aforementioned linking). Sorry for all the hand-holding ... but hopefully it will help others too.

permanent link

answered 28 Jan '13, 16:05

alphydan
5157
accept rate: 0%

'linking' means telling an installer which libraries to use instead of them using defaults. You would read the pycrypto installation documentation for the exact command parameters to do this, each app and version is slightly different.

(29 Jan '13, 01:26) johns

Thanks johns. I did figure out that much. I was just wondering if someone had any experience with it as http://pypi.python.org/pypi/pycrypto/2.6 doesn't give any details. The anwswer may be here https://github.com/dlitz/pycrypto/blob/master/configure ... but I'll have to unearth it.

(29 Jan '13, 06:57) alphydan

check this out http://stackoverflow.com/questions/17319033/fixing-warning-gmp-or-mpir-library-not-found-not-building-crypto-publickkey/18473535#18473535

permanent link

answered 27 Aug '13, 14:07

lai
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×337
×69
×7
×4
×1

question asked: 25 Jan '13, 09:12

question was seen: 9,867 times

last updated: 27 Aug '13, 14:07

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM