Bug 1267548

Summary: python-cryptography: undefined behavior could lead to a crash
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, chrisw, dallan, gkotton, gmollett, jschluet, lhh, lpeer, markmc, mcepl, nathaniel, rbryant, rbu, rhos-maint, sclewis, tdecacqu, terrycwk1994
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-cryptography 1.0.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-08 05:20:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1267554, 1267556    
Bug Blocks: 1267553, 1288464, 1288743    

Description Martin Prpič 2015-09-30 11:52:41 UTC
A flaw was found in the OpenSSL backend of python-cryptography:

The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call.

This issue has been fixed in the 1.0.2 version of python-cryptography.

Upstream changelog:

https://cryptography.io/en/stable/changelog/#id1

Related commits:

https://github.com/pyca/cryptography/commit/e3675af0f42e1f3117b61984805c192c1937a64f
https://github.com/pyca/cryptography/commit/3c39eba249bfd4582cfb4f169d7c47492b5369e3
https://github.com/pyca/cryptography/commit/7712edc5fa2bc5244221c35cf97e1b58f5981446
https://github.com/pyca/cryptography/commit/2917e460993c475c72d7146c50dc3bbc2414280d
https://github.com/pyca/cryptography/commit/915e0a1194400203b0e49e05de5facbc4ac8eb66
https://github.com/pyca/cryptography/commit/5fed07c15c696d8c82ef04b4a0e8435b444f4f17

Comment 1 Martin Prpič 2015-09-30 11:59:00 UTC
Created python-cryptography tracking bugs for this issue:

Affects: fedora-all [bug 1267554]
Affects: epel-7 [bug 1267556]

Comment 2 Fedora Update System 2015-11-12 23:27:29 UTC
python-cryptography-1.0.2-2.fc23, python-cryptography-vectors-1.0.2-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 3 Adam Mariš 2015-12-04 11:53:55 UTC
*** Bug 1288254 has been marked as a duplicate of this bug. ***