Bug 1409754 (CVE-2013-7459)

Summary: CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, bleanhar, bmcclain, ccoleman, chrisw, dblechte, dedgar, dmcphers, eedri, jgoulding, jjoyce, jkeck, jmatthew, joelsmith, jschluet, kbasil, kdube, kseifried, lhh, lpeer, markmc, mburns, mgoldboi, michal.skrivanek, moni121189, paul, python-maint, rbryant, rhos-maint, sbonazzo, sclewis, sherold, sisharma, slinaber, smallamp, smohan, srevivo, ssaha, tcarlin, tdawson, tdecacqu, tsanders, vbellur, ykaul, ylavi
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-15 04:59:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1409756    

Description Andrej Nemec 2017-01-03 09:13:02 UTC 
A heap-buffer overflow vulnerability was discovered in cryptopp. This vulnerability can be used to remotely gain access to shell.

References:

http://seclists.org/oss-sec/2016/q4/760
https://pony7.fr/ctf:public:32c3:cryptmsg

Upstream bug:

https://github.com/dlitz/pycrypto/issues/176
Comment 1 Paul Howarth 2017-01-19 10:20:59 UTC 
Is EL-6's python-cryoto package not affected by this?
Comment 2 Paul Howarth 2017-01-19 10:21:41 UTC 
Whoops, typo there, I meant python-crypto.
Comment 3 Chandrani 2017-08-07 10:38:23 UTC 
Hi,
   Is this fix available as a part of pycrypto-2.6.1-py2.py3-none-any.whl. If not then in which release it will be bundled??

Thanks in advance.
Comment 4 Paul Howarth 2017-08-07 10:48:51 UTC 
There is no upstream release containing a fix for this issue, and there's no real prospect of there being one any time soon.

The lack of a fix for this is leading many other projects to move away from python-crypto (pycrypto) to other libraries such as python-cryptography instead.
Comment 5 Chandrani 2017-08-07 11:02:47 UTC 
(In reply to Paul Howarth from comment #4)
> There is no upstream release containing a fix for this issue, and there's no
> real prospect of there being one any time soon.
> 
> The lack of a fix for this is leading many other projects to move away from
> python-crypto (pycrypto) to other libraries such as python-cryptography
> instead.

Tku for the prompt reply
Comment 6 Kurt Seifried 2017-10-30 18:16:03 UTC 
RHUI 3 doesn't appear to use the affected code, emailed them to confirm, no reply yet.
Comment 7 Mark Knowles 2017-12-15 21:11:45 UTC 
kseifried advised that RHUI is unaffected.