Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 576494 (CVE-2013-7459)

Summary: <dev-python/pycrypto-2.6.1-r2: Heap-buffer overflow in ALGobject structure
Product: Gentoo Security Reporter: WGH <wgh>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: python
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2016/q4/766
See Also: https://bugs.gentoo.org/show_bug.cgi?id=610334
Whiteboard: A2 [glsa cve]
Package list:
=dev-python/pycrypto-2.6.1-r2
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 606278    

Description WGH 2016-03-05 08:43:46 UTC
dev-python/pycrypto contains an exploitable buffer overflow.

It has been featured as a challenge at 32C3 capture the flag.

Here is GitHub issue: https://github.com/dlitz/pycrypto/issues/176

Write-ups for said CTF task:
https://pony7.fr/ctf:public:32c3:cryptmsg
https://rzhou.org/~ricky/32c3/cryptmsg/generate_qs.py
Comment 1 Patrice Clement (RETIRED) gentoo-dev 2016-03-07 08:54:57 UTC
@sec team

Can you confirm?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-05 19:51:31 UTC
Yes, the vulnerability is real. 

Upstream fix is https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4


@ Maintainer(s): Please consider a snapshot release or rev bump to include the fix.

Meanwhile we should consider removal, see https://github.com/dlitz/pycrypto/issues/173 -- Dead project and depending application should migrate to other libraries.
Comment 3 David Seifert gentoo-dev 2017-01-20 16:58:04 UTC
@sec, please start stabilising pycrypto-2.6.1-r2

commit 76964454e0a54e9fc2bb67f29c89155ca2c05a96
Author: David Seifert <soap@gentoo.org>
Date:   Fri Jan 20 17:56:09 2017 +0100

    dev-python/pycrypto: Add patch for CVE-2013-7459
    
    Gentoo-bug: 576494
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-20 17:02:41 UTC
Thank you for the bump!


@ Arches,

please test and mark stable: =dev-python/pycrypto-2.6.1-r2
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-21 11:44:17 UTC
Stable on alpha.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 12:21:58 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 13:13:40 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-21 17:16:37 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-21 17:27:25 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-21 20:33:33 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-22 16:28:07 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-23 16:27:49 UTC
ia64 stable
Comment 13 Markus Meier gentoo-dev 2017-02-05 16:56:53 UTC
arm stable, all arches done.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-02-06 00:03:07 UTC
GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-02-20 23:23:40 UTC
This issue was resolved and addressed in
 GLSA 201702-14 at https://security.gentoo.org/glsa/201702-14
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-20 23:24:51 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <dev-python/pycrypto-2.6.1-r2!
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2017-05-25 06:41:24 UTC
Arches and Maintainer(s), Thank you for your work.