Bug 1288254

Summary: python-cryptography: undefined behavior could lead to a crash
Product: [Other] Security Response Reporter: Robert Buchholz <rbu>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: mcepl, npmccallum, rbu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/pyca/cryptography/blob/1.0.2/CHANGELOG.rst#102---2015-09-27
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-04 11:53:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Buchholz 2015-12-03 23:40:54 UTC 
From the 1.0.2 changelog:

SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call. Credit Emilia Käsper (Google Security Team) for the report.


RHEL 7.2 introduced the vulnerable version 0.8.2-1 from EPEL7. Fedora is fixed per #1267554. The move of this package from EPEL probably makes #1267556 obsolete / a duplicate of this?

Note: If you plan to upgrade to a newer version and are using the fedora spec, the dependency on python-cffi is incorrect and should be ">= 1.1" instead of ">= 0.8".
Comment 1 Matěj Cepl 2015-12-04 09:44:16 UTC 
This is badly filed ... I am not sure against which package this is filed (do not file bugs to Security Response product). Do you mean "Fedora EPEL/python-cryptography"? Then this is duplicate of bug 1267556

Could you explain?
Comment 2 Robert Buchholz 2015-12-04 10:10:56 UTC 
Matěj, thanks for responding. I was under the impression vulnerabilities in RHEL should go into the "Security Response" product and not into the affected product itself (RHEL 7.2). Is this incorrect?

This is not about EPEL7. Affected is python-cryptography-0.8.2-1.el7.src.rpm which was introduced in RHEL in 7.2 (CentOS has it in the 7/CR branch currently):  http://vault.centos.org/7.1.1503/cr/Source/SPackages/python-cryptography-0.8.2-1.el7.src.rpm
Comment 3 Adam Mariš 2015-12-04 10:29:51 UTC 
(In reply to Robert Buchholz from comment #2)
> Matěj, thanks for responding. I was under the impression vulnerabilities in
> RHEL should go into the "Security Response" product and not into the
> affected product itself (RHEL 7.2). Is this incorrect?

Security issues should be filed also under the affected product and corresponding component. Just make sure you add Security into Keywords. Product Security will then pick it up, create a flaw bug a further process it as a security vulnerability.

> 
> This is not about EPEL7. Affected is python-cryptography-0.8.2-1.el7.src.rpm
> which was introduced in RHEL in 7.2 (CentOS has it in the 7/CR branch
> currently): 
> http://vault.centos.org/7.1.1503/cr/Source/SPackages/python-cryptography-0.8.
> 2-1.el7.src.rpm

Thank you for pointing out that this package is also shipped in RHEL-7. At first, we omitted it. We're tracking this issue here:

https://bugzilla.redhat.com/show_bug.cgi?id=1267548
Comment 4 Robert Buchholz 2015-12-04 10:45:26 UTC 
Adam, I'll remember this for next time.
Comment 5 Adam Mariš 2015-12-04 11:53:55 UTC 

*** This bug has been marked as a duplicate of bug 1267548 ***