Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610334 - dev-python/pycrypto: Update patch for CVE-2013-7459 for better compatibility
Summary: dev-python/pycrypto: Update patch for CVE-2013-7459 for better compatibility
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal
Deadline: 2020-05-18
Assignee: Python Gentoo Team
URL: https://www.ubuntu.com/usn/usn-3199-2/
Whiteboard:
Keywords: PATCH, PMASKED
Depends on:
Blocks:
 
Reported: 2017-02-21 01:13 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-06-11 20:28 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
CVE-2013-7459 regression (CVE-2013-7459-regression.patch,890 bytes, patch)
2017-02-21 01:13 UTC, Thomas Deutschmann (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 01:13:12 UTC
Created attachment 464472 [details, diff]
CVE-2013-7459 regression

Debian/Ubuntu has update their pycrypto patch for CVE-2013-7459, from $URL:

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-3199-1 introduced a regression in the Python Cryptography Toolkit which
caused programs which relied on the original behavior to fail.

Software Description:
- python-crypto: cryptographic algorithms and protocols for Python

Details:

USN-3199-1 fixed a vulnerability in the Python Cryptography Toolkit.
Unfortunately, various programs depended on the original behavior of the Python
Cryptography Toolkit which was altered when fixing the vulnerability. This
update retains the fix for the vulnerability but issues a warning rather than
throwing an exception. Code which produces this warning should be updated
because future versions of the Python Cryptography Toolkit re-introduce the
exception.

We apologize for the inconvenience.



We should probably do the same. I am attaching Debian/Ubuntu's patch.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 21:56:35 UTC
It looks like this may still be worth applying?
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-06-11 06:26:40 UTC
It's been removed.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2020-06-11 20:28:48 UTC
The patch already existed in the stable version that was removed from the tree. This bug was opened, FWICS, to address throwing an error vice an exception. As such, closing because there is no requirement for a security notice.