In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class. References: https://github.com/pyca/cryptography/issues/5615
Created python-cryptography tracking bugs for this issue: Affects: fedora-all [bug 1926227] Affects: openstack-rdo [bug 1926228]
The fix is trivial: https://github.com/pyca/cryptography/pull/5748 diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index 2b10681b31..0f96795fdc 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -16,7 +16,7 @@ class _CipherContext(object): _ENCRYPT = 1 _DECRYPT = 0 - _MAX_CHUNK_SIZE = 2 ** 31 - 1 + _MAX_CHUNK_SIZE = 2 ** 30 - 1 def __init__(self, backend, cipher, mode, operation): self._backend = backend
FEDORA-2021-8e36e7ed1a has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-8e36e7ed1a
CloudForms stopped shipping python-cryptography 5.11 (5.0) onward. Support for 5.10 (4.7) is EOL from February 7, 2021. Please refer CloudForms Lifecycle page for more information: https://access.redhat.com/support/policy/updates/cloudforms
Statement: Triggering this flaw on in versions of python-cryptography as shipped with Red Hat Enterprise Linux 8 BaseOS, Appstream, as well as Red Hat Software Collections, can result in denial of service due to memory consumption or MemoryError exception. In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-cryptography package.
External References: https://cryptography.io/en/latest/changelog.html#v3-3-2
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1608 https://access.redhat.com/errata/RHSA-2021:1608
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-36242
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:2239 https://access.redhat.com/errata/RHSA-2021:2239
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254