|Summary:||CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure|
|Product:||[Other] Security Response||Reporter:||Andrej Nemec <anemec>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED WONTFIX||QA Contact:|
|Version:||unspecified||CC:||apevec, bleanhar, bmcclain, ccoleman, chrisw, dblechte, dedgar, dmcphers, eedri, jgoulding, jjoyce, jkeck, jmatthew, joelsmith, jschluet, kbasil, kdube, kseifried, lhh, lpeer, markmc, mburns, mgoldboi, michal.skrivanek, moni121189, paul, python-maint, rbryant, rhos-maint, sbonazzo, sclewis, sherold, sisharma, slinaber, smallamp, smohan, srevivo, ssaha, tcarlin, tdawson, tdecacqu, tsanders, vbellur, ykaul, ylavi|
|Target Milestone:||---||Keywords:||Reopened, Security|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2017-12-15 04:59:56 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
Description Andrej Nemec 2017-01-03 09:13:02 UTC
A heap-buffer overflow vulnerability was discovered in cryptopp. This vulnerability can be used to remotely gain access to shell. References: http://seclists.org/oss-sec/2016/q4/760 https://pony7.fr/ctf:public:32c3:cryptmsg Upstream bug: https://github.com/dlitz/pycrypto/issues/176
Comment 1 Paul Howarth 2017-01-19 10:20:59 UTC
Is EL-6's python-cryoto package not affected by this?
Comment 2 Paul Howarth 2017-01-19 10:21:41 UTC
Whoops, typo there, I meant python-crypto.
Comment 3 Chandrani 2017-08-07 10:38:23 UTC
Hi, Is this fix available as a part of pycrypto-2.6.1-py2.py3-none-any.whl. If not then in which release it will be bundled?? Thanks in advance.
Comment 4 Paul Howarth 2017-08-07 10:48:51 UTC
There is no upstream release containing a fix for this issue, and there's no real prospect of there being one any time soon. The lack of a fix for this is leading many other projects to move away from python-crypto (pycrypto) to other libraries such as python-cryptography instead.
Comment 5 Chandrani 2017-08-07 11:02:47 UTC
(In reply to Paul Howarth from comment #4) > There is no upstream release containing a fix for this issue, and there's no > real prospect of there being one any time soon. > > The lack of a fix for this is leading many other projects to move away from > python-crypto (pycrypto) to other libraries such as python-cryptography > instead. Tku for the prompt reply
Comment 6 Kurt Seifried 2017-10-30 18:16:03 UTC
RHUI 3 doesn't appear to use the affected code, emailed them to confirm, no reply yet.
Comment 7 Mark Knowles 2017-12-15 21:11:45 UTC
kseifried advised that RHUI is unaffected.