问题

在上一篇用Python解密Chrome的加密cookies时会遇到本文的这个问题。

When I try to run app.py (Python 3.3, PyCrypto 2.6) my virtualenv keeps returning the error listed above. My import statement is just from Crypto.Cipher import AES. I looked for duplicates and you might say that there are some, but I tried the solutions (although most are not even solutions) and nothing worked.

方法

不要再使用 crypto 或 pycrypto 了!

As you can read on this page, the usage of pycrypto is not safe anymore:

Pycrypto is vulnerable to a heap-based buffer overflow in the ALGnew function in block_templace.c. It allows remote attackers to execute arbitrary code in the python application. It was assigned the CVE-2013-7459 number.

Pycrypto didn’t release any fix to that vulnerability and no commit was made to the project since Jun 20, 2014.

Update 2021-01-18: The CVE is fixed now (thanks @SumitBadsara for pointing it out!). You can find the current status of the open security tickets for each package at the Debian security tracker:

• python-crypto
• pycryptodome

请使用 Python3的 pycryptodome 替代库!

Make sure to uninstall all versions of crypto and pycrypto first, then install pycryptodome:

pip3 uninstall crypto 
pip3 uninstall pycrypto 
pip3 install pycryptodome

All of these three packages get installed to the same folder, named Crypto. Installing different packages under the same folder name can be a common source for errors!

Best practice: virtual environments

In order to avoid problems with pip packages in different versions or packages that install under the same folder (i.e. pycrypto and pycryptodome) you can make use of a so called virtual environment. There, the installed pip packages can be managed for every single project individually.

To install a virtual environment and setup everything, use the following commands:

# install python3 and pip3
sudo apt update
sudo apt upgrade
sudo apt install python3
sudo apt install python3-pip

# install virtualenv
pip3 install virtualenv

# install and create a virtual environment in your target folder
mkdir target_folder
cd target_folder
python3 -m virtualenv .

# now activate your venv and install pycryptodome
source bin/activate
pip3 install pycryptodome

# check if everything worked: 
# start the interactive python console and import the Crypto module
# when there is no import error then it worked
python
>>> from Crypto.Cipher import AES
>>> exit()

# don't forget to deactivate your venv again
deactivate

For more information, see pycryptodome.org

本文文字及图片出自 出处