Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2316 to the following vulnerability: Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to "partial hashlib hashing of data exceeding 4GB." References: http://security.gentoo.org/glsa/glsa-200807-16.xml http://bugs.gentoo.org/show_bug.cgi?id=230640
Created attachment 313349 [details] David Remahl's patch against trunk Issue was discovered and reported by David Remahl of the Apple Product Security team. Attached is David's proposed patch against trunk.
Created attachment 313350 [details] David Remahl's patch against 2.5 branch
Not vulnerable. This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Affected module was only added in Python 2.5: http://www.python.org/download/releases/2.5/NEWS.txt - Added the hashlib module. It provides secure hash functions for MD5 and SHA1, 224, 256, 384, and 512. Note that recent developments make the historic MD5 and SHA1 unsuitable for cryptographic-strength applications. In <http://mail.python.org/pipermail/python-dev/2005-December/058850.html> Ronald L. Rivest offered this advice for Python: "The consensus of researchers in this area (at least as expressed at the NIST Hash Function Workshop 10/31/05), is that SHA-256 is a good choice for the time being, but that research should continue, and other alternatives may arise from this research. The larger SHA's also seem OK."
This has been addressed in Patch998 in the current F-10 python branch. Do we close this? Has this been addressed everywhere?
*** Bug 655459 has been marked as a duplicate of this bug. ***