Bug 457733 (CVE-2008-2316)

Summary: CVE-2008-2316 python: integer overflow in hashlib module
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: james.antill, jlieskov, jonathansteffan, vdanen, zaitcev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2316
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 18:50:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
David Remahl's patch against trunk
none
David Remahl's patch against 2.5 branch none

Description Tomas Hoger 2008-08-04 11:34:44 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2316 to the following vulnerability:

Integer overflow in _hashopenssl.c in the hashlib module in Python
2.5.2 and earlier might allow context-dependent attackers to defeat
cryptographic digests, related to "partial hashlib hashing of data
exceeding 4GB."

References:
http://security.gentoo.org/glsa/glsa-200807-16.xml
http://bugs.gentoo.org/show_bug.cgi?id=230640
Comment 1 Tomas Hoger 2008-08-04 11:40:03 UTC 
Created attachment 313349 [details]
David Remahl's patch against trunk

Issue was discovered and reported by David Remahl of the Apple Product Security team.  Attached is David's proposed patch against trunk.
Comment 2 Tomas Hoger 2008-08-04 11:41:25 UTC 
Created attachment 313350 [details]
David Remahl's patch against 2.5 branch
Comment 3 Tomas Hoger 2008-08-04 11:44:07 UTC 
Not vulnerable. This issue did not affect the versions of python as
shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Affected module was only added in Python 2.5:
  http://www.python.org/download/releases/2.5/NEWS.txt

- Added the hashlib module.  It provides secure hash functions for MD5 and
  SHA1, 224, 256, 384, and 512.  Note that recent developments make the
  historic MD5 and SHA1 unsuitable for cryptographic-strength applications.
  In <http://mail.python.org/pipermail/python-dev/2005-December/058850.html>
  Ronald L. Rivest offered this advice for Python:

      "The consensus of researchers in this area (at least as
      expressed at the NIST Hash Function Workshop 10/31/05),
      is that SHA-256 is a good choice for the time being, but
      that research should continue, and other alternatives may
      arise from this research.  The larger SHA's also seem OK."
Comment 7 Jonathan Steffan 2009-09-07 21:54:49 UTC 
This has been addressed in Patch998 in the current F-10 python branch. Do we close this? Has this been addressed everywhere?
Comment 8 Brendan Jones 2010-11-21 21:17:49 UTC 
*** Bug 655459 has been marked as a duplicate of this bug. ***