Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 258049 (CVE-2009-0544) - <dev-python/pycrypto-2.0.1-r8 Buffer overflow in ARC2 module (CVE-2009-0544)
Summary: <dev-python/pycrypto-2.0.1-r8 Buffer overflow in ARC2 module (CVE-2009-0544)
Status: RESOLVED FIXED
Alias: CVE-2009-0544
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://gitweb2.dlitz.net/?p=crypto/py...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-07 18:18 UTC by Matti Bickel (RETIRED)
Modified: 2020-04-10 11:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Unittest for ARC2 Buffer Overflow in CVE-2009-0544 (test.py,4.78 KB, text/plain)
2009-03-04 04:51 UTC, Jesus Rivero (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matti Bickel (RETIRED) gentoo-dev 2009-02-07 18:18:28 UTC
There's a cve request pending for a buffer overflow in the ARC2 key handling, it's described in this test case:
http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=fd73731dfad451a81056fbb01e09aa78ab82eb5d

A patch is available here:
http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=d1c4875e1f220652fe7ff8358f56dee3b2aba31b

Mike Wiacek <mjwiacek@google.com> is credited with finding this bug. No further detail is available and i'm afraid there's no packaged release yet.

herd, can you include this patch in our distribution?
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2009-02-07 18:26:30 UTC
I'm quite unsure about the status here. If that's exploitable, it seems a user can pass a overly long key to ARC2 and can write arbitrary memory with its content.

As pycrypto may be pulled as a PDEPEND of portage, i set this to "A1". If you think this is wrong, please correct me.
Comment 2 Matti Bickel (RETIRED) gentoo-dev 2009-02-12 23:47:48 UTC
ping?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-02-13 17:46:10 UTC
CVE-2009-0544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0544):
  Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote
  attackers to cause a denial of service and possibly execute arbitrary
  code via a large ARC2 key length.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-03-03 19:08:31 UTC
ping, python herd. upstream committed a patch 4 weeks ago. Is there anything holding this back from being fixed in our tree?
Comment 5 Jesus Rivero (RETIRED) gentoo-dev 2009-03-04 04:46:21 UTC
Hello, 

    dev-python/pycrypto-2.0.1-r8 in CVS now with suggested patch. I'm adding arches to this bug so they are aware of this and act accordingly. I'm also keeping this bug open.  

    Best regards,
Comment 6 Jesus Rivero (RETIRED) gentoo-dev 2009-03-04 04:51:13 UTC
Created attachment 183837 [details]
Unittest for ARC2 Buffer Overflow in CVE-2009-0544

This test case is a modified version of the one at securityfocus.com, so it runs on all python versions available in the tree.
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2009-03-04 13:39:23 UTC
Sparc stable for pycrypto-2.0.1-r8.  All tests run fine.
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-03-04 16:50:22 UTC
ppc64 done
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2009-03-04 20:25:16 UTC
ppc stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-05 14:30:06 UTC
Stable for HPPA.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-03-06 16:30:53 UTC
alpha/arm/ia64/s390/sh/x86 stable
Comment 12 Markus Meier gentoo-dev 2009-03-07 10:56:35 UTC
amd64 stable
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-03-09 13:06:11 UTC
GLSA 200903-11