1288254 – python-cryptography: undefined behavior could lead to a crash

Bug 1288254 - python-cryptography: undefined behavior could lead to a crash

Summary: python-cryptography: undefined behavior could lead to a crash

Keywords:
Status:	CLOSED DUPLICATE of bug 1267548
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	https://github.com/pyca/cryptography/...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-12-03 23:40 UTC by Robert Buchholz
Modified:	2016-11-08 15:53 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-12-04 11:53:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Robert Buchholz 2015-12-03 23:40:54 UTC

From the 1.0.2 changelog:

SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call. Credit Emilia Käsper (Google Security Team) for the report.


RHEL 7.2 introduced the vulnerable version 0.8.2-1 from EPEL7. Fedora is fixed per #1267554. The move of this package from EPEL probably makes #1267556 obsolete / a duplicate of this?

Note: If you plan to upgrade to a newer version and are using the fedora spec, the dependency on python-cffi is incorrect and should be ">= 1.1" instead of ">= 0.8".

Comment 1 Matěj Cepl 2015-12-04 09:44:16 UTC

This is badly filed ... I am not sure against which package this is filed (do not file bugs to Security Response product). Do you mean "Fedora EPEL/python-cryptography"? Then this is duplicate of bug 1267556

Could you explain?

Comment 2 Robert Buchholz 2015-12-04 10:10:56 UTC

Matěj, thanks for responding. I was under the impression vulnerabilities in RHEL should go into the "Security Response" product and not into the affected product itself (RHEL 7.2). Is this incorrect?

This is not about EPEL7. Affected is python-cryptography-0.8.2-1.el7.src.rpm which was introduced in RHEL in 7.2 (CentOS has it in the 7/CR branch currently):  http://vault.centos.org/7.1.1503/cr/Source/SPackages/python-cryptography-0.8.2-1.el7.src.rpm

Comment 3 Adam Mariš 2015-12-04 10:29:51 UTC

(In reply to Robert Buchholz from comment #2)
> Matěj, thanks for responding. I was under the impression vulnerabilities in
> RHEL should go into the "Security Response" product and not into the
> affected product itself (RHEL 7.2). Is this incorrect?

Security issues should be filed also under the affected product and corresponding component. Just make sure you add Security into Keywords. Product Security will then pick it up, create a flaw bug a further process it as a security vulnerability.

> 
> This is not about EPEL7. Affected is python-cryptography-0.8.2-1.el7.src.rpm
> which was introduced in RHEL in 7.2 (CentOS has it in the 7/CR branch
> currently): 
> http://vault.centos.org/7.1.1503/cr/Source/SPackages/python-cryptography-0.8.
> 2-1.el7.src.rpm

Thank you for pointing out that this package is also shipped in RHEL-7. At first, we omitted it. We're tracking this issue here:

https://bugzilla.redhat.com/show_bug.cgi?id=1267548

Comment 4 Robert Buchholz 2015-12-04 10:45:26 UTC

Adam, I'll remember this for next time.

Comment 5 Adam Mariš 2015-12-04 11:53:55 UTC


*** This bug has been marked as a duplicate of bug 1267548 ***

Note You need to log in before you can comment on or make changes to this bug.