gnu: python-pycrypto: Fix CVE-2013-7459.

* gnu/packages/patches/python-pycrypto-CVE-2013-7459.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/python.scm (python-pycrypto, python2-pycrypto)[source]: Use the patch. Use pypi-uri.
2025-10-02 02:15:12 +00:00 · 2017-01-06 13:43:38 -05:00 · 2017-01-06 13:43:38 -05:00 · aa21c764d6
commit aa21c764d6
parent 707c65aad7
3 changed files with 103 additions and 7 deletions
--- a/gnu/packages/python.scm
+++ b/gnu/packages/python.scm
@ -958,13 +958,11 @@ Python 3 support.")
 (define-public python2-setuptools
  (package-with-python2 python-setuptools))

-;;; Pycrypto is abandoned upstream [0] and contains at least one bug that can be
-;;; exploited to achieve arbitrary code execution [1].
+;;; Pycrypto is abandoned upstream:
+;;;
+;;; https://github.com/dlitz/pycrypto/issues/173
 ;;;
 ;;; TODO Remove this package from GNU Guix.
-;;;
-;;; [0] https://github.com/dlitz/pycrypto/issues/173
-;;; [1] https://github.com/dlitz/pycrypto/issues/176
 (define-public python-pycrypto
  (package
    (name "python-pycrypto")
@ -972,8 +970,8 @@ Python 3 support.")
    (source
     (origin
      (method url-fetch)
-      (uri (string-append "https://pypi.python.org/packages/source/p/"
-                          "pycrypto/pycrypto-" version ".tar.gz"))
+      (uri (pypi-uri "pycrypto" version))
+      (patches (search-patches "python-pycrypto-CVE-2013-7459.patch"))
      (sha256
       (base32
        "0g0ayql5b9mkjam8hym6zyg6bv77lbh66rv1fyvgqb17kfc1xkpj"))))