Bug 1288254 - python-cryptography: undefined behavior could lead to a crash
python-cryptography: undefined behavior could lead to a crash
Status: CLOSED DUPLICATE of bug 1267548
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Red Hat Product Security
https://github.com/pyca/cryptography/...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-03 18:40 EST by Robert Buchholz
Modified: 2016-11-08 10:53 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-04 06:53:55 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Buchholz 2015-12-03 18:40:54 EST
From the 1.0.2 changelog:

SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call. Credit Emilia Käsper (Google Security Team) for the report.


RHEL 7.2 introduced the vulnerable version 0.8.2-1 from EPEL7. Fedora is fixed per #1267554. The move of this package from EPEL probably makes #1267556 obsolete / a duplicate of this?

Note: If you plan to upgrade to a newer version and are using the fedora spec, the dependency on python-cffi is incorrect and should be ">= 1.1" instead of ">= 0.8".
Comment 1 Matěj Cepl 2015-12-04 04:44:16 EST
This is badly filed ... I am not sure against which package this is filed (do not file bugs to Security Response product). Do you mean "Fedora EPEL/python-cryptography"? Then this is duplicate of bug 1267556

Could you explain?
Comment 2 Robert Buchholz 2015-12-04 05:10:56 EST
Matěj, thanks for responding. I was under the impression vulnerabilities in RHEL should go into the "Security Response" product and not into the affected product itself (RHEL 7.2). Is this incorrect?

This is not about EPEL7. Affected is python-cryptography-0.8.2-1.el7.src.rpm which was introduced in RHEL in 7.2 (CentOS has it in the 7/CR branch currently):  http://vault.centos.org/7.1.1503/cr/Source/SPackages/python-cryptography-0.8.2-1.el7.src.rpm
Comment 3 Adam Mariš 2015-12-04 05:29:51 EST
(In reply to Robert Buchholz from comment #2)
> Matěj, thanks for responding. I was under the impression vulnerabilities in
> RHEL should go into the "Security Response" product and not into the
> affected product itself (RHEL 7.2). Is this incorrect?

Security issues should be filed also under the affected product and corresponding component. Just make sure you add Security into Keywords. Product Security will then pick it up, create a flaw bug a further process it as a security vulnerability.

> 
> This is not about EPEL7. Affected is python-cryptography-0.8.2-1.el7.src.rpm
> which was introduced in RHEL in 7.2 (CentOS has it in the 7/CR branch
> currently): 
> http://vault.centos.org/7.1.1503/cr/Source/SPackages/python-cryptography-0.8.
> 2-1.el7.src.rpm

Thank you for pointing out that this package is also shipped in RHEL-7. At first, we omitted it. We're tracking this issue here:

https://bugzilla.redhat.com/show_bug.cgi?id=1267548
Comment 4 Robert Buchholz 2015-12-04 05:45:26 EST
Adam, I'll remember this for next time.
Comment 5 Adam Mariš 2015-12-04 06:53:55 EST

*** This bug has been marked as a duplicate of bug 1267548 ***

Note You need to log in before you can comment on or make changes to this bug.