1393431 – (CVE-2016-9243) CVE-2016-9243 python-cryptography: HKDF might return an empty byte-string

Bug 1393431 (CVE-2016-9243) - CVE-2016-9243 python-cryptography: HKDF might return an empty byte-string

Summary: CVE-2016-9243 python-cryptography: HKDF might return an empty byte-string

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2016-9243
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1393432
Blocks:	1393433
TreeView+	depends on / blocked

Reported:	2016-11-09 14:36 UTC by Andrej Nemec
Modified:	2022-05-17 16:23 UTC (History)
CC List:	18 users (show)
Fixed In Version:	python-cryptography 1.5.3
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-08 03:01:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2016-11-09 14:36:53 UTC

Cryptography 1.5.3 release fixed one security issue.

HKDF would return an empty byte-string if used with a length less than algorithm.digest_size.

References:

https://cryptography.io/en/latest/changelog/#id1

Upstream bug:

https://github.com/pyca/cryptography/issues/3211

Upstream patch:

https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874

Comment 1 Andrej Nemec 2016-11-09 14:37:29 UTC

Created python-cryptography tracking bugs for this issue:

Affects: fedora-all [bug 1393432]

Comment 2 Huzaifa S. Sidhpurwala 2016-11-10 07:57:20 UTC

Data returned by the HKDF() are deemed to be cryptographically strong keys, which can be used by other cryptrographical primitives like ciphers to encrypt secret data. When HKDF() returns empty strings, then depending on the primitive used, it could mean weak encryption or perhaps no encryption at all.

Note You need to log in before you can comment on or make changes to this bug.