Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576494 (CVE-2013-7459) - <dev-python/pycrypto-2.6.1-r2: Heap-buffer overflow in ALGobject structure
Summary: <dev-python/pycrypto-2.6.1-r2: Heap-buffer overflow in ALGobject structure
Alias: CVE-2013-7459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on:
Blocks: 606278
  Show dependency tree
Reported: 2016-03-05 08:43 UTC by WGH
Modified: 2017-08-09 01:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description WGH 2016-03-05 08:43:46 UTC
dev-python/pycrypto contains an exploitable buffer overflow.

It has been featured as a challenge at 32C3 capture the flag.

Here is GitHub issue:

Write-ups for said CTF task:
Comment 1 Patrice Clement gentoo-dev 2016-03-07 08:54:57 UTC
@sec team

Can you confirm?
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-05 19:51:31 UTC
Yes, the vulnerability is real. 

Upstream fix is

@ Maintainer(s): Please consider a snapshot release or rev bump to include the fix.

Meanwhile we should consider removal, see -- Dead project and depending application should migrate to other libraries.
Comment 3 David Seifert gentoo-dev 2017-01-20 16:58:04 UTC
@sec, please start stabilising pycrypto-2.6.1-r2

commit 76964454e0a54e9fc2bb67f29c89155ca2c05a96
Author: David Seifert <>
Date:   Fri Jan 20 17:56:09 2017 +0100

    dev-python/pycrypto: Add patch for CVE-2013-7459
    Gentoo-bug: 576494
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-20 17:02:41 UTC
Thank you for the bump!

@ Arches,

please test and mark stable: =dev-python/pycrypto-2.6.1-r2
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-21 11:44:17 UTC
Stable on alpha.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 12:21:58 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 13:13:40 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-21 17:16:37 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-21 17:27:25 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-21 20:33:33 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-22 16:28:07 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-01-23 16:27:49 UTC
ia64 stable
Comment 13 Markus Meier gentoo-dev 2017-02-05 16:56:53 UTC
arm stable, all arches done.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-02-06 00:03:07 UTC
GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2017-02-20 23:23:40 UTC
This issue was resolved and addressed in
 GLSA 201702-14 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-20 23:24:51 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <dev-python/pycrypto-2.6.1-r2!
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2017-05-25 06:41:24 UTC
Arches and Maintainer(s), Thank you for your work.