Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Buffer overflow in the PyCrypto ARC2 modules

Related Vulnerabilities: CVE-2009-0544  

Source

Debian Bug report logs - #516660
Buffer overflow in the PyCrypto ARC2 modules

version graph

Package: python-crypto; Maintainer for python-crypto is Sebastian Ramacher <sramacher@debian.org>; Source for python-crypto is src:python-crypto (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 22 Feb 2009 22:45:01 UTC

Severity: grave

Tags: security

Fixed in version python-crypto/2.0.1+dfsg1-3

Done: Andreas Rottmann <rotty@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andreas Rottmann <rotty@debian.org>:
Bug#516660; Package python-crypto. (Sun, 22 Feb 2009 22:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andreas Rottmann <rotty@debian.org>. (Sun, 22 Feb 2009 22:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Buffer overflow in the PyCrypto ARC2 modules
Date: Sun, 22 Feb 2009 23:42:46 +0100
Package: python-crypto
Severity: grave
Tags: security

--
Name: CVE-2009-0544
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0544
Reference: MLIST:[oss-security] 20090207 CVE Request: pycrypto
Reference: URL:http://www.openwall.com/lists/oss-security/2009/02/07/1
Reference: CONFIRM:http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=d1c4875e1f220652fe7ff8358f56dee3b2aba31b
Reference: CONFIRM:http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=fd73731dfad451a81056fbb01e09aa78ab82eb5d
Reference: XF:pycrypto-arc2module-bo(48617)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48617

Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a large ARC2 key length.
---

Can you prepare updated packages for oldstable-security and stable-security?

Cheers,
        Moritz

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages python-crypto depends on:
ii  python                        2.5.2-3    An interactive high-level object-o
ii  python-central                0.6.8      register and build utility for Pyt

python-crypto recommends no packages.

Versions of packages python-crypto suggests:
pn  python-crypto-dbg             <none>     (no description available)

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>:
Bug#516660; Package python-crypto. (Mon, 23 Feb 2009 02:39:02 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Rottmann <a.rottmann@gmx.at>:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>. (Mon, 23 Feb 2009 02:39:02 GMT) (full text, mbox, link).

Message #10 received at 516660@bugs.debian.org (full text, mbox, reply):

From: Andreas Rottmann <a.rottmann@gmx.at>
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: 516660@bugs.debian.org
Subject: Re: Bug#516660: Buffer overflow in the PyCrypto ARC2 modules
Date: Mon, 23 Feb 2009 03:37:37 +0100
Moritz Muehlenhoff <jmm@debian.org> writes:

> Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote
> attackers to cause a denial of service and possibly execute arbitrary
> code via a large ARC2 key length.
> ---
>
> Can you prepare updated packages for oldstable-security and stable-security?
>
I'll try to do so tomorrow (or rather later today ;-), need to get some
sleep first. If that's not timely enough, could someone step in for me?

Regards, Rotty

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>:
Bug#516660; Package python-crypto. (Mon, 23 Feb 2009 14:57:08 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Rottmann <a.rottmann@gmx.at>:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>. (Mon, 23 Feb 2009 14:57:09 GMT) (full text, mbox, link).

Message #15 received at 516660@bugs.debian.org (full text, mbox, reply):

From: Andreas Rottmann <a.rottmann@gmx.at>
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: 516660@bugs.debian.org
Subject: Re: Bug#516660: Buffer overflow in the PyCrypto ARC2 modules
Date: Mon, 23 Feb 2009 15:53:56 +0100
[Message part 1 (text/plain, inline)]
I've built a package for lenny now, a package for etch will follow
soon. As this is my first time to prepare a security-fix package, I'm
not exactly sure if I've done everything according to the rules. .dsc
and .diff.gz attached.


[python-crypto_2.0.1+dfsg1-2.3+lenny0.dsc (text/plain, attachment)]
[python-crypto_2.0.1+dfsg1-2.3+lenny0.diff.gz (application/x-gzip, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>:
Bug#516660; Package python-crypto. (Mon, 23 Feb 2009 15:51:39 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>. (Mon, 23 Feb 2009 15:51:41 GMT) (full text, mbox, link).

Message #20 received at 516660@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Andreas Rottmann <a.rottmann@gmx.at>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 516660@bugs.debian.org
Subject: Re: Bug#516660: Buffer overflow in the PyCrypto ARC2 modules
Date: Mon, 23 Feb 2009 16:46:30 +0100
On Mon, Feb 23, 2009 at 03:53:56PM +0100, Andreas Rottmann wrote:
> 
> I've built a package for lenny now, a package for etch will follow
> soon. As this is my first time to prepare a security-fix package, I'm
> not exactly sure if I've done everything according to the rules. .dsc
> and .diff.gz attached.

Looks good, the Lenny packages are building.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>:
Bug#516660; Package python-crypto. (Mon, 23 Feb 2009 19:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Rottmann <a.rottmann@gmx.at>:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>. (Mon, 23 Feb 2009 19:27:03 GMT) (full text, mbox, link).

Message #25 received at 516660@bugs.debian.org (full text, mbox, reply):

From: Andreas Rottmann <a.rottmann@gmx.at>
To: Moritz Muehlenhoff <jmm@debian.org>
Cc: 516660@bugs.debian.org
Subject: Re: Bug#516660: Buffer overflow in the PyCrypto ARC2 modules
Date: Mon, 23 Feb 2009 20:22:17 +0100
[Message part 1 (text/plain, inline)]
Ok, here's the .dsc and .diff.gz for etch:


[python-crypto_2.0.1+dfsg1-1.2+etch0.dsc (text/plain, attachment)]
[python-crypto_2.0.1+dfsg1-1.2+etch0.diff.gz (application/x-gzip, attachment)]
[Message part 4 (text/plain, inline)]
Cheers, Rotty

Reply sent to Andreas Rottmann <rotty@debian.org>:
You have taken responsibility. (Fri, 20 Mar 2009 17:15:04 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 20 Mar 2009 17:15:04 GMT) (full text, mbox, link).

Message #30 received at 516660-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Rottmann <rotty@debian.org>
To: 516660-close@bugs.debian.org
Subject: Bug#516660: fixed in python-crypto 2.0.1+dfsg1-3
Date: Fri, 20 Mar 2009 16:47:03 +0000
Source: python-crypto
Source-Version: 2.0.1+dfsg1-3

We believe that the bug you reported is fixed in the latest version of
python-crypto, which is due to be installed in the Debian FTP archive:

python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
  to pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
python-crypto_2.0.1+dfsg1-3.diff.gz
  to pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-3.diff.gz
python-crypto_2.0.1+dfsg1-3.dsc
  to pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-3.dsc
python-crypto_2.0.1+dfsg1-3_amd64.deb
  to pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 516660@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Rottmann <rotty@debian.org> (supplier of updated python-crypto package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 Mar 2009 17:10:55 +0100
Source: python-crypto
Binary: python-crypto python-crypto-dbg
Architecture: source amd64
Version: 2.0.1+dfsg1-3
Distribution: unstable
Urgency: low
Maintainer: Andreas Rottmann <rotty@debian.org>
Changed-By: Andreas Rottmann <rotty@debian.org>
Description: 
 python-crypto - cryptographic algorithms and protocols for Python
 python-crypto-dbg - cryptographic algorithms and protocols for Python (debug extensio
Closes: 516660
Changes: 
 python-crypto (2.0.1+dfsg1-3) unstable; urgency=low
 .
   * Acknowlege NMUs.
   * Apply fix for CVE-2009-0544 (Buffer overflow in the ARC2 module), and
     a stand-alone version of the associated testcase (see
     http://www.openwall.com/lists/oss-security/2009/02/07/1).
     Closes: #516660.
Checksums-Sha1: 
 15762860776db6b58c6af847219484d3fd34613c 1258 python-crypto_2.0.1+dfsg1-3.dsc
 4a78091cdf18b8ae6bd8a9a829a1c8d7399964b4 10097 python-crypto_2.0.1+dfsg1-3.diff.gz
 f1967439d7c671d840a334fb5a77bb6f21f44847 239330 python-crypto_2.0.1+dfsg1-3_amd64.deb
 418c9346b1648ed7928f6304523210792ad96c7e 563108 python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
Checksums-Sha256: 
 d806723e99e5a988542a7ef6e23fd195123b7d3f48ab791b695cacb026e76ed8 1258 python-crypto_2.0.1+dfsg1-3.dsc
 9686dea692df05f9debee999884308ea2c8ab34bad67414a72ecbc345dc8d067 10097 python-crypto_2.0.1+dfsg1-3.diff.gz
 b9ee2c41a50ea05454fc6d32c51ef3573814b085db879a1a12a687f69a87e00d 239330 python-crypto_2.0.1+dfsg1-3_amd64.deb
 a3bd6185324a8f4ec1798dc0640406f8f3f151799b6cd0b31dcc76c8b6479947 563108 python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
Files: 
 53a31546541140fe6c7174024c38a490 1258 python optional python-crypto_2.0.1+dfsg1-3.dsc
 e943ae584fee4d25406ff6b94166eb05 10097 python optional python-crypto_2.0.1+dfsg1-3.diff.gz
 a7010923a342423e2f84906c4731ed8f 239330 python optional python-crypto_2.0.1+dfsg1-3_amd64.deb
 0196b26ef95f7091f643ef7a6ed9e89d 563108 python extra python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknDxI8ACgkQIsgn9zWpkufR5QCgnyRH8p5N7rO+E3Cl3i/wYwUv
SsQAn3tlPk+GQyKMMr79gO8XwqJOrZRE
=3k6F
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>:
Bug#516660; Package python-crypto. (Thu, 26 Mar 2009 19:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to T Chan <something-bz@sodium.serveirc.com>:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a $gBug is determined using this field. Please remember to include a Subject field in your messages in future.

(Thu, 26 Mar 2009 19:27:02 GMT) (full text, mbox, link).

Message #35 received at 516660@bugs.debian.org (full text, mbox, reply):

From: T Chan <something-bz@sodium.serveirc.com>
To: undisclosed-recipients:;
Date: Thu, 26 Mar 2009 19:17:41 +0000 (UTC)
Now it gives the error message "ValueError: ARC2 key length must be less than 128 bytes", which is fine except that "less than" should be "less than or equal to".

I'm also slightly skeptical of the (U32) in the patch, which (if it's what I think it is) will  still fail on 64-bit systems for a key size of e.g. 2**32.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:33:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:51:28 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started