576494 – (CVE-2013-7459) <dev-python/pycrypto-2.6.1-r2: Heap-buffer overflow in ALGobject structure

Bug 576494 (CVE-2013-7459) - <dev-python/pycrypto-2.6.1-r2: Heap-buffer overflow in ALGobject structure

Summary: <dev-python/pycrypto-2.6.1-r2: Heap-buffer overflow in ALGobject structure

Status:	RESOLVED FIXED

Alias:	CVE-2013-7459

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Security

URL:	http://seclists.org/oss-sec/2016/q4/766
Whiteboard:	A2 [glsa cve]
Keywords:

Depends on:
Blocks:	606278
	Show dependency tree

Reported:	2016-03-05 08:43 UTC by WGH
Modified:	2017-08-09 01:43 UTC (History)
CC List:	1 user (show)

See Also:	610334
Package list:	=dev-python/pycrypto-2.6.1-r2
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description WGH 2016-03-05 08:43:46 UTC

dev-python/pycrypto contains an exploitable buffer overflow.

It has been featured as a challenge at 32C3 capture the flag.

Here is GitHub issue: https://github.com/dlitz/pycrypto/issues/176

Write-ups for said CTF task:
https://pony7.fr/ctf:public:32c3:cryptmsg
https://rzhou.org/~ricky/32c3/cryptmsg/generate_qs.py

Comment 1 Patrice Clement gentoo-dev

2016-03-07 08:54:57 UTC

@sec team

Can you confirm?

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-05 19:51:31 UTC

Yes, the vulnerability is real. 

Upstream fix is https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4


@ Maintainer(s): Please consider a snapshot release or rev bump to include the fix.

Meanwhile we should consider removal, see https://github.com/dlitz/pycrypto/issues/173 -- Dead project and depending application should migrate to other libraries.

Comment 3 David Seifert gentoo-dev

2017-01-20 16:58:04 UTC

@sec, please start stabilising pycrypto-2.6.1-r2

commit 76964454e0a54e9fc2bb67f29c89155ca2c05a96
Author: David Seifert <soap@gentoo.org>
Date:   Fri Jan 20 17:56:09 2017 +0100

    dev-python/pycrypto: Add patch for CVE-2013-7459
    
    Gentoo-bug: 576494

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-20 17:02:41 UTC

Thank you for the bump!


@ Arches,

please test and mark stable: =dev-python/pycrypto-2.6.1-r2

Comment 5 Tobias Klausmann (RETIRED) gentoo-dev

2017-01-21 11:44:17 UTC

Stable on alpha.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-21 12:21:58 UTC

Stable for PPC64.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-21 13:13:40 UTC

Stable for HPPA.

Comment 8 Agostino Sarubbo gentoo-dev

2017-01-21 17:16:37 UTC

amd64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2017-01-21 17:27:25 UTC

x86 stable

Comment 10 Agostino Sarubbo gentoo-dev

2017-01-21 20:33:33 UTC

ppc stable

Comment 11 Agostino Sarubbo gentoo-dev

2017-01-22 16:28:07 UTC

sparc stable

Comment 12 Agostino Sarubbo gentoo-dev

2017-01-23 16:27:49 UTC

ia64 stable

Comment 13 Markus Meier gentoo-dev

2017-02-05 16:56:53 UTC

arm stable, all arches done.

Comment 14 Aaron Bauman (RETIRED) gentoo-dev

2017-02-06 00:03:07 UTC

GLSA request filed.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2017-02-20 23:23:40 UTC

This issue was resolved and addressed in
 GLSA 201702-14 at https://security.gentoo.org/glsa/201702-14
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-20 23:24:51 UTC

Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <dev-python/pycrypto-2.6.1-r2!

Comment 17 Yury German Gentoo Infrastructure

2017-05-25 06:41:24 UTC

Arches and Maintainer(s), Thank you for your work.