Bug 1409754 (CVE-2013-7459) - CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure
Summary: CVE-2013-7459 pycrypto: Heap-buffer overflow in ALGobject structure
Status: CLOSED WONTFIX
Alias: CVE-2013-7459
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20151215,repo...
Keywords: Reopened, Security
Depends On:
Blocks: 1409756
TreeView+ depends on / blocked
 
Reported: 2017-01-03 09:13 UTC by Andrej Nemec
Modified: 2018-02-12 10:39 UTC (History)
45 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-12-15 04:59:56 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2017-01-03 09:13:02 UTC
A heap-buffer overflow vulnerability was discovered in cryptopp. This vulnerability can be used to remotely gain access to shell.

References:

http://seclists.org/oss-sec/2016/q4/760
https://pony7.fr/ctf:public:32c3:cryptmsg

Upstream bug:

https://github.com/dlitz/pycrypto/issues/176

Comment 1 Paul Howarth 2017-01-19 10:20:59 UTC
Is EL-6's python-cryoto package not affected by this?

Comment 2 Paul Howarth 2017-01-19 10:21:41 UTC
Whoops, typo there, I meant python-crypto.

Comment 3 Chandrani 2017-08-07 10:38:23 UTC
Hi,
   Is this fix available as a part of pycrypto-2.6.1-py2.py3-none-any.whl. If not then in which release it will be bundled??

Thanks in advance.

Comment 4 Paul Howarth 2017-08-07 10:48:51 UTC
There is no upstream release containing a fix for this issue, and there's no real prospect of there being one any time soon.

The lack of a fix for this is leading many other projects to move away from python-crypto (pycrypto) to other libraries such as python-cryptography instead.

Comment 5 Chandrani 2017-08-07 11:02:47 UTC
(In reply to Paul Howarth from comment #4)
> There is no upstream release containing a fix for this issue, and there's no
> real prospect of there being one any time soon.
> 
> The lack of a fix for this is leading many other projects to move away from
> python-crypto (pycrypto) to other libraries such as python-cryptography
> instead.

Tku for the prompt reply

Comment 6 Kurt Seifried 2017-10-30 18:16:03 UTC
RHUI 3 doesn't appear to use the affected code, emailed them to confirm, no reply yet.

Comment 7 Mark Knowles 2017-12-15 21:11:45 UTC
kseifried advised that RHUI is unaffected.


Note You need to log in before you can comment on or make changes to this bug.