1409754 – (CVE-2013-7459) CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure

Bug 1409754 (CVE-2013-7459) - CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure

Summary: CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2013-7459
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1409756
TreeView+	depends on / blocked

Reported:	2017-01-03 09:13 UTC by Andrej Nemec
Modified:	2020-12-14 07:22 UTC (History)
CC List:	45 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-12-15 04:59:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-01-03 09:13:02 UTC

A heap-buffer overflow vulnerability was discovered in cryptopp. This vulnerability can be used to remotely gain access to shell.

References:

http://seclists.org/oss-sec/2016/q4/760
https://pony7.fr/ctf:public:32c3:cryptmsg

Upstream bug:

https://github.com/dlitz/pycrypto/issues/176

Comment 1 Paul Howarth 2017-01-19 10:20:59 UTC

Is EL-6's python-cryoto package not affected by this?

Comment 2 Paul Howarth 2017-01-19 10:21:41 UTC

Whoops, typo there, I meant python-crypto.

Comment 3 Chandrani 2017-08-07 10:38:23 UTC

Hi,
   Is this fix available as a part of pycrypto-2.6.1-py2.py3-none-any.whl. If not then in which release it will be bundled??

Thanks in advance.

Comment 4 Paul Howarth 2017-08-07 10:48:51 UTC

There is no upstream release containing a fix for this issue, and there's no real prospect of there being one any time soon.

The lack of a fix for this is leading many other projects to move away from python-crypto (pycrypto) to other libraries such as python-cryptography instead.

Comment 5 Chandrani 2017-08-07 11:02:47 UTC

(In reply to Paul Howarth from comment #4)
> There is no upstream release containing a fix for this issue, and there's no
> real prospect of there being one any time soon.
> 
> The lack of a fix for this is leading many other projects to move away from
> python-crypto (pycrypto) to other libraries such as python-cryptography
> instead.

Tku for the prompt reply

Comment 6 Kurt Seifried 2017-10-30 18:16:03 UTC

RHUI 3 doesn't appear to use the affected code, emailed them to confirm, no reply yet.

Comment 7 Mark Knowles 2017-12-15 21:11:45 UTC

kseifried advised that RHUI is unaffected.

Note You need to log in before you can comment on or make changes to this bug.

apevec
bleanhar
bmcclain
ccoleman
chrisw
dblechte
dedgar
dmcphers
eedri
jgoulding
jjoyce
jkeck
jmatthew
joelsmith
jschluet
kbasil
kdube
kseifried
lhh
lpeer
markmc
mburns
mgoldboi
michal.skrivanek
moni121189
paul
python-maint
rbryant
rhos-maint
sbonazzo
sclewis
sherold
sisharma
slinaber
smallamp
smohan
srevivo
ssaha
tcarlin
tdawson
tdecacqu
tsanders
vbellur
ykaul
ylavi