485298 – (CVE-2009-0544) CVE-2009-0544 python-crypto: buffer overflow in the ARC2 module

Bug 485298 (CVE-2009-0544) - CVE-2009-0544 python-crypto: buffer overflow in the ARC2 module

Summary: CVE-2009-0544 python-crypto: buffer overflow in the ARC2 module

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2009-0544
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:	485300 485301 485302
Blocks:
TreeView+	depends on / blocked

Reported:	2009-02-12 19:03 UTC by Vincent Danen
Modified:	2019-09-29 12:28 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-02-15 10:40:49 UTC
Embargoed:

Attachments	(Terms of Use)
testcase (5.13 KB, application/text) 2009-02-12 19:08 UTC, Vincent Danen	no flags	Details
View All

Description Vincent Danen 2009-02-12 19:03:08 UTC

Name: CVE-2009-0544
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0544
Assigned: 20090212
Reference: MLIST:[oss-security] 20090207 CVE Request: pycrypto
Reference: URL: http://www.openwall.com/lists/oss-security/2009/02/07/1
Reference: MLIST:[oss-security] 20090212 Re: CVE Request: pycrypto
Reference: URL: http://www.openwall.com/lists/oss-security/2009/02/12/5
Reference: CONFIRM: http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=d1c4875e1f220652fe7ff8358f56dee3b2aba31b
Reference: CONFIRM: http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=fd73731dfad451a81056fbb01e09aa78ab82eb5d
Reference: BID:33674
Reference: URL: http://www.securityfocus.com/bid/33674
Reference: XF:pycrypto-arc2module-bo(48617)
Reference: URL: http://xforce.iss.net/xforce/xfdb/48617

Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a large ARC2 key length.


The patch is here:

http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=d1c4875e1f220652fe7ff8358f56dee3b2aba31b

Comment 2 Vincent Danen 2009-02-12 19:08:17 UTC

Created attachment 331731 [details]
testcase

Originally taken from http://downloads.securityfocus.com/vulnerabilities/exploits/SelfTest_Cipher_test_ARC2.py

Note You need to log in before you can comment on or make changes to this bug.