Red Hat Bugzilla – Bug 1288254
python-cryptography: undefined behavior could lead to a crash
Last modified: 2016-11-08 10:53:34 EST
From the 1.0.2 changelog:
SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call. Credit Emilia Käsper (Google Security Team) for the report.
RHEL 7.2 introduced the vulnerable version 0.8.2-1 from EPEL7. Fedora is fixed per #1267554. The move of this package from EPEL probably makes #1267556 obsolete / a duplicate of this?
Note: If you plan to upgrade to a newer version and are using the fedora spec, the dependency on python-cffi is incorrect and should be ">= 1.1" instead of ">= 0.8".
This is badly filed ... I am not sure against which package this is filed (do not file bugs to Security Response product). Do you mean "Fedora EPEL/python-cryptography"? Then this is duplicate of bug 1267556
Could you explain?
Matěj, thanks for responding. I was under the impression vulnerabilities in RHEL should go into the "Security Response" product and not into the affected product itself (RHEL 7.2). Is this incorrect?
This is not about EPEL7. Affected is python-cryptography-0.8.2-1.el7.src.rpm which was introduced in RHEL in 7.2 (CentOS has it in the 7/CR branch currently): http://vault.centos.org/7.1.1503/cr/Source/SPackages/python-cryptography-0.8.2-1.el7.src.rpm
(In reply to Robert Buchholz from comment #2)
> Matěj, thanks for responding. I was under the impression vulnerabilities in
> RHEL should go into the "Security Response" product and not into the
> affected product itself (RHEL 7.2). Is this incorrect?
Security issues should be filed also under the affected product and corresponding component. Just make sure you add Security into Keywords. Product Security will then pick it up, create a flaw bug a further process it as a security vulnerability.
> This is not about EPEL7. Affected is python-cryptography-0.8.2-1.el7.src.rpm
> which was introduced in RHEL in 7.2 (CentOS has it in the 7/CR branch
Thank you for pointing out that this package is also shipped in RHEL-7. At first, we omitted it. We're tracking this issue here:
Adam, I'll remember this for next time.
*** This bug has been marked as a duplicate of bug 1267548 ***