Stop using pycrypto. Use pycryptodome instead

PyCrypto Pulse on Sqreen

As we are still seeing a lot of applications depending on the Python Cryptography Toolkit (aka pycrypto) to manage their cryptography, this is a quick reminder to stop using it.

The vulnerability

Pycrypto is vulnerable to a heap-based buffer overflow in the ALGnew function in block_templace.c. It allows remote attackers to execute arbitrary code in the python application. It was assigned the CVE-2013-7459 number.

Pycrypto didn’t release any fix to that vulnerability and no commit was made to the project since Jun 20, 2014.

Pycryptodome to the rescue

Pycryptodome is a drop-in replacement for the PyCrypto library. Just ‘pip install pycryptodome’ and you’re good to go.

Update your requirements.txt now

Update your requirements.txt file now and also make sure none of your other library depends on pycrypto.

Does your application use this vulnerable package?

Test your application now!