New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AES.new with invalid parameter crashes python #176

Open
anomen-s opened this Issue Dec 14, 2015 · 5 comments

Comments

Projects
None yet
5 participants
@anomen-s

anomen-s commented Dec 14, 2015

In Crypto 2.6.1 and Python 2.7.10 and 3.4.3
folowing code causes crash:

from Crypto.Cipher import AES

AES.new(b'\000' * 16, AES.MODE_ECB, b'\000' * 540)

@WGH-

This comment has been minimized.

Show comment
Hide comment
@WGH-

WGH- Dec 30, 2015

FWIW, it's actually an exploitable vulnerability.

WGH- commented Dec 30, 2015

FWIW, it's actually an exploitable vulnerability.

@johnthagen

This comment has been minimized.

Show comment
Hide comment
@johnthagen

johnthagen commented Oct 27, 2016

@twirrim

This comment has been minimized.

Show comment
Hide comment
@twirrim

twirrim Oct 27, 2016

Can someone with more than half a clue about the details here possibly file a CVE for it?

twirrim commented Oct 27, 2016

Can someone with more than half a clue about the details here possibly file a CVE for it?

@tdsmith

This comment has been minimized.

Show comment
Hide comment
@tdsmith

tdsmith Nov 20, 2016

For the curious, this is fixed on master by 8dbe0dc, but hasn't been included in a release.

tdsmith commented Nov 20, 2016

For the curious, this is fixed on master by 8dbe0dc, but hasn't been included in a release.

mbakke pushed a commit to mbakke/guix that referenced this issue Dec 27, 2016

gnu: python-stem: Don't use python-pycrypto.
Python-pycrypto is an optional dependency of python-stem. Python-pycrypto is
unmaintained [0] and contains an exploitable buffer overflow bug [1].

[0] dlitz/pycrypto#173
[1] dlitz/pycrypto#176

* gnu/packages/python.scm (python-stem, python2-stem)[propagated-inputs]: Remove
python-pycrypto.

@FRidh FRidh referenced this issue Jan 4, 2017

Closed

Vulnerability Roundup 16 #21642

38 of 38 tasks complete
@anomen-s

This comment has been minimized.

Show comment
Hide comment

conradlink added a commit to conradlink/awesome-python that referenced this issue Jan 27, 2017

Remove pycrypto (vinta/awesome-python#819)
It appears pycrypto is no longer maintained and has known vulnerabilities, see:
dlitz/pycrypto#176
dlitz/pycrypto#173

Appears that larger projects (paramiko, ansible, twisted) have moved over to PyCA's cryptography, which is already on the list.

hguemar pushed a commit to rdo-common/python-crypto that referenced this issue Jul 18, 2017

Paul Howarth
Fix for CVE-2013-7459
AES.new with invalid parameter crashes python
(dlitz/pycrypto#176)

raymontag added a commit to raymontag/kppy that referenced this issue May 16, 2018

Changed PyCrypto to PyCryptodome
This commit removes the usage of PyCrypto and add support for
PyCryptodome. This is necessary as PyCrypto is not maintained anymore
and seems to have serious issues. PyCryptodome is an active fork of
PyCrypto

This is referenced in dlitz/pycrypto#173 and dlitz/pycrypto#176.

This is an answer to the suggestion from raymontag/keepass#72

raymontag added a commit to raymontag/keepassc that referenced this issue May 16, 2018

Changed PyCrypto to PyCryptodome
This commit removes the usage of PyCrypto and add support for
PyCryptodome. This is necessary as PyCrypto is not maintained anymore
and seems to have serious issues. PyCryptodome is an active fork of
PyCrypto

This is referenced in dlitz/pycrypto#173 and dlitz/pycrypto#176.

This is an answer to the suggestion from raymontag/keepass#72
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment