Debian Bug report logs -
#516660
Buffer overflow in the PyCrypto ARC2 modules
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 22 Feb 2009 22:45:01 UTC
Severity: grave
Tags: security
Fixed in version python-crypto/2.0.1+dfsg1-3
Done: Andreas Rottmann <rotty@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andreas Rottmann <rotty@debian.org>
:
Bug#516660
; Package python-crypto
.
(Sun, 22 Feb 2009 22:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Andreas Rottmann <rotty@debian.org>
.
(Sun, 22 Feb 2009 22:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: python-crypto
Severity: grave
Tags: security
--
Name: CVE-2009-0544
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0544
Reference: MLIST:[oss-security] 20090207 CVE Request: pycrypto
Reference: URL:http://www.openwall.com/lists/oss-security/2009/02/07/1
Reference: CONFIRM:http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=d1c4875e1f220652fe7ff8358f56dee3b2aba31b
Reference: CONFIRM:http://gitweb2.dlitz.net/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=fd73731dfad451a81056fbb01e09aa78ab82eb5d
Reference: XF:pycrypto-arc2module-bo(48617)
Reference: URL:http://xforce.iss.net/xforce/xfdb/48617
Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote
attackers to cause a denial of service and possibly execute arbitrary
code via a large ARC2 key length.
---
Can you prepare updated packages for oldstable-security and stable-security?
Cheers,
Moritz
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages python-crypto depends on:
ii python 2.5.2-3 An interactive high-level object-o
ii python-central 0.6.8 register and build utility for Pyt
python-crypto recommends no packages.
Versions of packages python-crypto suggests:
pn python-crypto-dbg <none> (no description available)
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>
:
Bug#516660
; Package python-crypto
.
(Mon, 23 Feb 2009 02:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Rottmann <a.rottmann@gmx.at>
:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>
.
(Mon, 23 Feb 2009 02:39:02 GMT) (full text, mbox, link).
Message #10 received at 516660@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff <jmm@debian.org> writes:
> Buffer overflow in the PyCrypto ARC2 module 2.0.1 allows remote
> attackers to cause a denial of service and possibly execute arbitrary
> code via a large ARC2 key length.
> ---
>
> Can you prepare updated packages for oldstable-security and stable-security?
>
I'll try to do so tomorrow (or rather later today ;-), need to get some
sleep first. If that's not timely enough, could someone step in for me?
Regards, Rotty
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>
:
Bug#516660
; Package python-crypto
.
(Mon, 23 Feb 2009 14:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Rottmann <a.rottmann@gmx.at>
:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>
.
(Mon, 23 Feb 2009 14:57:09 GMT) (full text, mbox, link).
Message #15 received at 516660@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I've built a package for lenny now, a package for etch will follow
soon. As this is my first time to prepare a security-fix package, I'm
not exactly sure if I've done everything according to the rules. .dsc
and .diff.gz attached.
[python-crypto_2.0.1+dfsg1-2.3+lenny0.dsc (text/plain, attachment)]
[python-crypto_2.0.1+dfsg1-2.3+lenny0.diff.gz (application/x-gzip, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>
:
Bug#516660
; Package python-crypto
.
(Mon, 23 Feb 2009 15:51:39 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>
.
(Mon, 23 Feb 2009 15:51:41 GMT) (full text, mbox, link).
Message #20 received at 516660@bugs.debian.org (full text, mbox, reply):
On Mon, Feb 23, 2009 at 03:53:56PM +0100, Andreas Rottmann wrote:
>
> I've built a package for lenny now, a package for etch will follow
> soon. As this is my first time to prepare a security-fix package, I'm
> not exactly sure if I've done everything according to the rules. .dsc
> and .diff.gz attached.
Looks good, the Lenny packages are building.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>
:
Bug#516660
; Package python-crypto
.
(Mon, 23 Feb 2009 19:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Andreas Rottmann <a.rottmann@gmx.at>
:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>
.
(Mon, 23 Feb 2009 19:27:03 GMT) (full text, mbox, link).
Message #25 received at 516660@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Ok, here's the .dsc and .diff.gz for etch:
[python-crypto_2.0.1+dfsg1-1.2+etch0.dsc (text/plain, attachment)]
[python-crypto_2.0.1+dfsg1-1.2+etch0.diff.gz (application/x-gzip, attachment)]
[Message part 4 (text/plain, inline)]
Cheers, Rotty
Reply sent
to Andreas Rottmann <rotty@debian.org>
:
You have taken responsibility.
(Fri, 20 Mar 2009 17:15:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Fri, 20 Mar 2009 17:15:04 GMT) (full text, mbox, link).
Message #30 received at 516660-close@bugs.debian.org (full text, mbox, reply):
Source: python-crypto
Source-Version: 2.0.1+dfsg1-3
We believe that the bug you reported is fixed in the latest version of
python-crypto, which is due to be installed in the Debian FTP archive:
python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
to pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
python-crypto_2.0.1+dfsg1-3.diff.gz
to pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-3.diff.gz
python-crypto_2.0.1+dfsg1-3.dsc
to pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-3.dsc
python-crypto_2.0.1+dfsg1-3_amd64.deb
to pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 516660@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Rottmann <rotty@debian.org> (supplier of updated python-crypto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 20 Mar 2009 17:10:55 +0100
Source: python-crypto
Binary: python-crypto python-crypto-dbg
Architecture: source amd64
Version: 2.0.1+dfsg1-3
Distribution: unstable
Urgency: low
Maintainer: Andreas Rottmann <rotty@debian.org>
Changed-By: Andreas Rottmann <rotty@debian.org>
Description:
python-crypto - cryptographic algorithms and protocols for Python
python-crypto-dbg - cryptographic algorithms and protocols for Python (debug extensio
Closes: 516660
Changes:
python-crypto (2.0.1+dfsg1-3) unstable; urgency=low
.
* Acknowlege NMUs.
* Apply fix for CVE-2009-0544 (Buffer overflow in the ARC2 module), and
a stand-alone version of the associated testcase (see
http://www.openwall.com/lists/oss-security/2009/02/07/1).
Closes: #516660.
Checksums-Sha1:
15762860776db6b58c6af847219484d3fd34613c 1258 python-crypto_2.0.1+dfsg1-3.dsc
4a78091cdf18b8ae6bd8a9a829a1c8d7399964b4 10097 python-crypto_2.0.1+dfsg1-3.diff.gz
f1967439d7c671d840a334fb5a77bb6f21f44847 239330 python-crypto_2.0.1+dfsg1-3_amd64.deb
418c9346b1648ed7928f6304523210792ad96c7e 563108 python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
Checksums-Sha256:
d806723e99e5a988542a7ef6e23fd195123b7d3f48ab791b695cacb026e76ed8 1258 python-crypto_2.0.1+dfsg1-3.dsc
9686dea692df05f9debee999884308ea2c8ab34bad67414a72ecbc345dc8d067 10097 python-crypto_2.0.1+dfsg1-3.diff.gz
b9ee2c41a50ea05454fc6d32c51ef3573814b085db879a1a12a687f69a87e00d 239330 python-crypto_2.0.1+dfsg1-3_amd64.deb
a3bd6185324a8f4ec1798dc0640406f8f3f151799b6cd0b31dcc76c8b6479947 563108 python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
Files:
53a31546541140fe6c7174024c38a490 1258 python optional python-crypto_2.0.1+dfsg1-3.dsc
e943ae584fee4d25406ff6b94166eb05 10097 python optional python-crypto_2.0.1+dfsg1-3.diff.gz
a7010923a342423e2f84906c4731ed8f 239330 python optional python-crypto_2.0.1+dfsg1-3_amd64.deb
0196b26ef95f7091f643ef7a6ed9e89d 563108 python extra python-crypto-dbg_2.0.1+dfsg1-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknDxI8ACgkQIsgn9zWpkufR5QCgnyRH8p5N7rO+E3Cl3i/wYwUv
SsQAn3tlPk+GQyKMMr79gO8XwqJOrZRE
=3k6F
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Andreas Rottmann <rotty@debian.org>
:
Bug#516660
; Package python-crypto
.
(Thu, 26 Mar 2009 19:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to T Chan <something-bz@sodium.serveirc.com>
:
Extra info received and forwarded to list. Copy sent to Andreas Rottmann <rotty@debian.org>
.
Your message did not contain a Subject field. They are recommended and
useful because the title of a $gBug is determined using this field.
Please remember to include a Subject field in your messages in future.
(Thu, 26 Mar 2009 19:27:02 GMT) (full text, mbox, link).
Message #35 received at 516660@bugs.debian.org (full text, mbox, reply):
Now it gives the error message "ValueError: ARC2 key length must be less than 128 bytes", which is fine except that "less than" should be "less than or equal to".
I'm also slightly skeptical of the (U32) in the patch, which (if it's what I think it is) will still fail on 64-bit systems for a key size of e.g. 2**32.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 10 May 2009 07:33:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:51:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.