Bug 769419 (CVE-2020-36242)

Summary:	<dev-python/cryptography-3.3.2: certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow
Product:	Gentoo Security	Reporter:	Michał Górny <mgorny>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ajak, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A4 [glsa+]
Package list:	dev-python/cryptography-3.3.2	Runtime testing required:	---

Description Michał Górny archtester

2021-02-08 08:31:34 UTC

* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls
  when symmetrically encrypting very large payloads (>2GB) could result in an
  integer overflow, leading to buffer overflows. *CVE-2020-36242*

Comment 1 NATTkA bot gentoo-dev

2021-02-08 08:32:52 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/cryptography-3.3.2

Comment 2 NATTkA bot gentoo-dev

2021-02-08 08:44:56 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 3 Sam James archtester

2021-02-08 17:26:53 UTC

x86 done

Comment 4 Sam James archtester

2021-02-09 06:16:49 UTC

sparc done

Comment 5 Sam James archtester

2021-02-11 07:54:30 UTC

amd64 done

Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev

2021-02-11 23:00:05 UTC

ppc64 stable

Comment 7 Sam James archtester

2021-02-13 17:57:45 UTC

arm64 done

Comment 8 Sam James archtester

2021-02-14 19:44:22 UTC

arm done

Comment 9 Sam James archtester

2021-02-15 10:49:13 UTC

ppc done

Comment 10 Rolf Eike Beer archtester

2021-02-16 20:15:01 UTC

hppa stable

Comment 11 Sam James archtester

2021-04-05 22:25:53 UTC

s390 done

all arches done

Comment 12 John Helmert III archtester

2021-04-06 01:48:06 UTC

Please cleanup.

Comment 13 Larry the Git Cow gentoo-dev

2021-04-06 06:28:28 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4caeb851ad299b29220092be27856dd0e4c8d57

commit f4caeb851ad299b29220092be27856dd0e4c8d57
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-04-06 06:27:39 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-04-06 06:27:49 +0000

    dev-python/cryptography: Remove old
    
    Closes: https://bugs.gentoo.org/769419
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/cryptography/Manifest                  |  4 --
 dev-python/cryptography/cryptography-3.2.1.ebuild | 67 -----------------------
 dev-python/cryptography/cryptography-3.3.1.ebuild | 67 -----------------------
 3 files changed, 138 deletions(-)

Comment 14 Michał Górny archtester

2021-04-06 06:28:56 UTC

Sry, wrong tag.

Comment 15 NATTkA bot gentoo-dev

2021-05-18 11:44:29 UTC

Unable to check for sanity:

> no match for package: dev-python/cryptography-3.3.2

Comment 16 Larry the Git Cow gentoo-dev

2024-07-01 06:10:19 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c64e048a91b0aa0d481f453db2b0de77a5123fc4

commit c64e048a91b0aa0d481f453db2b0de77a5123fc4
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-01 05:59:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-07-01 06:09:25 +0000

    [ GLSA 202407-06 ] cryptography: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/769419
    Bug: https://bugs.gentoo.org/864049
    Bug: https://bugs.gentoo.org/893576
    Bug: https://bugs.gentoo.org/918685
    Bug: https://bugs.gentoo.org/925120
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202407-06.xml | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)