563102 – <dev-python/m2crypto-0.24.0: pbkdf2 function crashes when given 74 byte result as argument

Bug 563102 - <dev-python/m2crypto-0.24.0: pbkdf2 function crashes when given 74 byte result as argument

Summary: <dev-python/m2crypto-0.24.0: pbkdf2 function crashes when given 74 byte resul...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-10-15 07:09 UTC by Agostino Sarubbo
Modified:	2017-05-25 06:16 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=dev-python/m2crypto-0.24.0
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-10-15 07:09:14 UTC

From ${URL} :

A bug was found in pbkdf2 function of m2crypto package, such that when given a 74 byte result, a 
buffer overflow occurs leading to crash of the application.

For reproducer and backtrace, see product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1270318


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-21 17:10:17 UTC

Upstream patch:

https://gitlab.com/m2crypto/m2crypto/commit/704ff438b5aca2fcf26431233bfb3950ce8e677a

In >=0.23.0.


@ Maintainer(s): Can we stabilize =dev-python/m2crypto-0.24.0?

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-30 01:03:09 UTC

@ Arches,

please test and mark stable: =dev-python/m2crypto-0.24.0

Comment 3 Agostino Sarubbo gentoo-dev

2017-01-30 13:09:31 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2017-01-31 11:43:49 UTC

x86 stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-31 13:45:14 UTC

Stable for HPPA PPC64.

Comment 6 Tobias Klausmann (RETIRED) gentoo-dev

2017-01-31 15:53:21 UTC

Stable on alpha.

Comment 7 Michael Weber (RETIRED) gentoo-dev

2017-02-08 01:47:56 UTC

ppc stable.

Comment 8 Markus Meier gentoo-dev

2017-02-12 19:55:57 UTC

arm stable

Comment 9 Agostino Sarubbo gentoo-dev

2017-02-17 10:57:14 UTC

sparc stable

Comment 10 Agostino Sarubbo gentoo-dev

2017-02-18 14:44:52 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 11 Yury German Gentoo Infrastructure

2017-04-17 22:52:01 UTC

Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).

Comment 12 Yury German Gentoo Infrastructure

2017-05-25 06:16:47 UTC

Arches and Maintainer(s), Thank you for your work.