Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 561696 - <dev-python/cryptography-1.0.2: with python -O, openssl asserts are optimised out leading to undefined behaviour
Summary: <dev-python/cryptography-1.0.2: with python -O, openssl asserts are optimised...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
: 561694 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-09-28 07:16 UTC by Justin Lecher (RETIRED)
Modified: 2015-12-23 23:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Justin Lecher (RETIRED) gentoo-dev 2015-09-28 07:16:31 UTC 
1.0.2 - 2015-09-27
~~~~~~~~~~~~~~~~~~
* **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
  of assertions to check response codes where our tests could not trigger a
  failure.  However, when Python is run with ``-O`` these asserts are optimized
  away.  If a user ran Python with this flag and got an invalid response code
  this could result in undefined behavior or worse. Accordingly, all response
  checks from the OpenSSL backend have been converted from ``assert``
  to a true function call. Credit **Emilia Käsper (Google Security Team)**
  for the report.

Security team please fix summary. I am not sure what is appropriate there.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-09-28 07:18:30 UTC 
*** Bug 561694 has been marked as a duplicate of this bug. ***
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-09-28 07:19:27 UTC 
@arches, please keywords and stabilize

dev-python/cryptography-1.0.2
dev-python/cryptography-vectors-1.0.2
dev-python/idna-2.0
dev-python/ipaddress-1.0.14
dev-python/cffi-1.2.1
Comment 3 Agostino Sarubbo gentoo-dev 2015-09-28 07:48:34 UTC 
For now I guess that this undefined behavior could lead to a crash.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2015-09-28 15:27:57 UTC 
This also needs dev-python/pyasn1-0.1.8.

All six stable on alpha.
Comment 5 Agostino Sarubbo gentoo-dev 2015-09-29 12:32:15 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-09-29 12:33:09 UTC 
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-30 03:36:57 UTC 
Stable for HPPA PPC64.
Comment 8 Matt Turner gentoo-dev 2015-09-30 20:45:08 UTC 
jlec, I have to remove mips@ from your stablereqs pretty often. Presumably you're not selecting with the "Add arches" button in bugzilla... maybe you need to update your script? (m68k, s390, and sh are also unstable)
Comment 9 Markus Meier gentoo-dev 2015-10-17 11:04:30 UTC 
arm stable
Comment 10 Justin Lecher (RETIRED) gentoo-dev 2015-10-19 11:15:09 UTC 
*** Bug 561372 has been marked as a duplicate of this bug. ***
Comment 11 Justin Lecher (RETIRED) gentoo-dev 2015-10-29 09:31:47 UTC 
@arches, please proceed or we need to drop stable keywords.
Comment 12 Agostino Sarubbo gentoo-dev 2015-11-04 14:48:54 UTC 
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-11-05 11:00:52 UTC 
sparc stable
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-07 23:33:15 UTC 
ia64 stable
Comment 15 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-11 16:35:52 UTC 
if we pass here we can increase the dep in the openstack packages

https://review.openstack.org/#/c/244199/
Comment 16 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-11 19:14:15 UTC 
passed, feel free to update the openstack packages to <=dev-python/cryptography-1.1-r9999
Comment 17 Justin Lecher (RETIRED) gentoo-dev 2015-11-12 10:29:23 UTC 
commit c3c2f1823de4a8a9c479c2c874a846c4de30d3d9
Author: Justin Lecher <jlec@gentoo.org>
Date:   Thu Nov 12 10:26:21 2015 +0100
    
    dev-python/cryptography: Drop vulnerable versions
    
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=561696
    
    obsoletes:
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=561604
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=559648
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=521796
    
    Package-Manager: portage-2.2.23
    Signed-off-by: Justin Lecher <jlec@gentoo.org>
    
    https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3c2f1823de4a8a9c479c2c874a846c4de30d3d9
Comment 18 Justin Lecher (RETIRED) gentoo-dev 2015-11-12 10:29:41 UTC 
Tree is clean again.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2015-12-23 23:36:50 UTC 
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No

Thank you all. Closing as noglsa.