dev-python/pycrypto contains an exploitable buffer overflow. It has been featured as a challenge at 32C3 capture the flag. Here is GitHub issue: https://github.com/dlitz/pycrypto/issues/176 Write-ups for said CTF task: https://pony7.fr/ctf:public:32c3:cryptmsg https://rzhou.org/~ricky/32c3/cryptmsg/generate_qs.py
@sec team Can you confirm?
Yes, the vulnerability is real. Upstream fix is https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 @ Maintainer(s): Please consider a snapshot release or rev bump to include the fix. Meanwhile we should consider removal, see https://github.com/dlitz/pycrypto/issues/173 -- Dead project and depending application should migrate to other libraries.
@sec, please start stabilising pycrypto-2.6.1-r2 commit 76964454e0a54e9fc2bb67f29c89155ca2c05a96 Author: David Seifert <soap@gentoo.org> Date: Fri Jan 20 17:56:09 2017 +0100 dev-python/pycrypto: Add patch for CVE-2013-7459 Gentoo-bug: 576494
Thank you for the bump! @ Arches, please test and mark stable: =dev-python/pycrypto-2.6.1-r2
Stable on alpha.
Stable for PPC64.
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
sparc stable
ia64 stable
arm stable, all arches done.
GLSA request filed.
This issue was resolved and addressed in GLSA 201702-14 at https://security.gentoo.org/glsa/201702-14 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop <dev-python/pycrypto-2.6.1-r2!
Arches and Maintainer(s), Thank you for your work.