dev-python/pycrypto contains an exploitable buffer overflow.
It has been featured as a challenge at 32C3 capture the flag.
Here is GitHub issue: https://github.com/dlitz/pycrypto/issues/176
Write-ups for said CTF task:
Can you confirm?
Yes, the vulnerability is real.
Upstream fix is https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
@ Maintainer(s): Please consider a snapshot release or rev bump to include the fix.
Meanwhile we should consider removal, see https://github.com/dlitz/pycrypto/issues/173 -- Dead project and depending application should migrate to other libraries.
@sec, please start stabilising pycrypto-2.6.1-r2
Author: David Seifert <firstname.lastname@example.org>
Date: Fri Jan 20 17:56:09 2017 +0100
dev-python/pycrypto: Add patch for CVE-2013-7459
Thank you for the bump!
please test and mark stable: =dev-python/pycrypto-2.6.1-r2
Stable on alpha.
Stable for PPC64.
Stable for HPPA.
arm stable, all arches done.
GLSA request filed.
This issue was resolved and addressed in
GLSA 201702-14 at https://security.gentoo.org/glsa/201702-14
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup.
@ Maintainer(s): Please cleanup and drop <dev-python/pycrypto-2.6.1-r2!
Arches and Maintainer(s), Thank you for your work.