Bug 457733 - (CVE-2008-2316) CVE-2008-2316 python: integer overflow in hashlib module
CVE-2008-2316 python: integer overflow in hashlib module
Status: CLOSED UPSTREAM
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=vendor-sec,reported=20080702,p...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-04 07:34 EDT by Tomas Hoger
Modified: 2016-03-04 07:16 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 13:50:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
David Remahl's patch against trunk (4.81 KB, patch)
2008-08-04 07:40 EDT, Tomas Hoger
no flags Details | Diff
David Remahl's patch against 2.5 branch (4.81 KB, patch)
2008-08-04 07:41 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-08-04 07:34:44 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2316 to the following vulnerability:

Integer overflow in _hashopenssl.c in the hashlib module in Python
2.5.2 and earlier might allow context-dependent attackers to defeat
cryptographic digests, related to "partial hashlib hashing of data
exceeding 4GB."

References:
http://security.gentoo.org/glsa/glsa-200807-16.xml
http://bugs.gentoo.org/show_bug.cgi?id=230640
Comment 1 Tomas Hoger 2008-08-04 07:40:03 EDT
Created attachment 313349 [details]
David Remahl's patch against trunk

Issue was discovered and reported by David Remahl of the Apple Product Security team.  Attached is David's proposed patch against trunk.
Comment 2 Tomas Hoger 2008-08-04 07:41:25 EDT
Created attachment 313350 [details]
David Remahl's patch against 2.5 branch
Comment 3 Tomas Hoger 2008-08-04 07:44:07 EDT
Not vulnerable. This issue did not affect the versions of python as
shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Affected module was only added in Python 2.5:
  http://www.python.org/download/releases/2.5/NEWS.txt

- Added the hashlib module.  It provides secure hash functions for MD5 and
  SHA1, 224, 256, 384, and 512.  Note that recent developments make the
  historic MD5 and SHA1 unsuitable for cryptographic-strength applications.
  In <http://mail.python.org/pipermail/python-dev/2005-December/058850.html>
  Ronald L. Rivest offered this advice for Python:

      "The consensus of researchers in this area (at least as
      expressed at the NIST Hash Function Workshop 10/31/05),
      is that SHA-256 is a good choice for the time being, but
      that research should continue, and other alternatives may
      arise from this research.  The larger SHA's also seem OK."
Comment 7 Jonathan Steffan 2009-09-07 17:54:49 EDT
This has been addressed in Patch998 in the current F-10 python branch. Do we close this? Has this been addressed everywhere?
Comment 8 Brendan Jones 2010-11-21 16:17:49 EST
*** Bug 655459 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.