Red Hat Bugzilla – Bug 457733
CVE-2008-2316 python: integer overflow in hashlib module
Last modified: 2016-03-04 07:16:22 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2316 to the following vulnerability:
Integer overflow in _hashopenssl.c in the hashlib module in Python
2.5.2 and earlier might allow context-dependent attackers to defeat
cryptographic digests, related to "partial hashlib hashing of data
Created attachment 313349 [details]
David Remahl's patch against trunk
Issue was discovered and reported by David Remahl of the Apple Product Security team. Attached is David's proposed patch against trunk.
Created attachment 313350 [details]
David Remahl's patch against 2.5 branch
Not vulnerable. This issue did not affect the versions of python as
shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
Affected module was only added in Python 2.5:
- Added the hashlib module. It provides secure hash functions for MD5 and
SHA1, 224, 256, 384, and 512. Note that recent developments make the
historic MD5 and SHA1 unsuitable for cryptographic-strength applications.
Ronald L. Rivest offered this advice for Python:
"The consensus of researchers in this area (at least as
expressed at the NIST Hash Function Workshop 10/31/05),
is that SHA-256 is a good choice for the time being, but
that research should continue, and other alternatives may
arise from this research. The larger SHA's also seem OK."
This has been addressed in Patch998 in the current F-10 python branch. Do we close this? Has this been addressed everywhere?
*** Bug 655459 has been marked as a duplicate of this bug. ***