Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1409754 - (CVE-2013-7459) CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure
CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20151215,repo...
: Reopened, Security
Depends On:
Blocks: 1409756
  Show dependency treegraph
 
Reported: 2017-01-03 04:13 EST by Andrej Nemec
Modified: 2018-02-12 05:39 EST (History)
45 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-12-14 23:59:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2017-01-03 04:13:02 EST 
A heap-buffer overflow vulnerability was discovered in cryptopp. This vulnerability can be used to remotely gain access to shell.

References:

http://seclists.org/oss-sec/2016/q4/760
https://pony7.fr/ctf:public:32c3:cryptmsg

Upstream bug:

https://github.com/dlitz/pycrypto/issues/176
Comment 1 Paul Howarth 2017-01-19 05:20:59 EST 
Is EL-6's python-cryoto package not affected by this?
Comment 2 Paul Howarth 2017-01-19 05:21:41 EST 
Whoops, typo there, I meant python-crypto.
Comment 3 Chandrani 2017-08-07 06:38:23 EDT 
Hi,
   Is this fix available as a part of pycrypto-2.6.1-py2.py3-none-any.whl. If not then in which release it will be bundled??

Thanks in advance.
Comment 4 Paul Howarth 2017-08-07 06:48:51 EDT 
There is no upstream release containing a fix for this issue, and there's no real prospect of there being one any time soon.

The lack of a fix for this is leading many other projects to move away from python-crypto (pycrypto) to other libraries such as python-cryptography instead.
Comment 5 Chandrani 2017-08-07 07:02:47 EDT 
(In reply to Paul Howarth from comment #4)
> There is no upstream release containing a fix for this issue, and there's no
> real prospect of there being one any time soon.
> 
> The lack of a fix for this is leading many other projects to move away from
> python-crypto (pycrypto) to other libraries such as python-cryptography
> instead.

Tku for the prompt reply
Comment 6 Kurt Seifried 2017-10-30 14:16:03 EDT 
RHUI 3 doesn't appear to use the affected code, emailed them to confirm, no reply yet.
Comment 7 Mark Knowles 2017-12-15 16:11:45 EST 
kseifried advised that RHUI is unaffected.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.