Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AES.new with invalid parameter crashes python #176

Open
anomen-s opened this issue Dec 14, 2015 · 5 comments
Open

AES.new with invalid parameter crashes python #176

anomen-s opened this issue Dec 14, 2015 · 5 comments

Comments

@anomen-s
Copy link

@anomen-s anomen-s commented Dec 14, 2015

In Crypto 2.6.1 and Python 2.7.10 and 3.4.3
folowing code causes crash:

from Crypto.Cipher import AES

AES.new(b'\000' * 16, AES.MODE_ECB, b'\000' * 540)

@WGH-
Copy link

@WGH- WGH- commented Dec 30, 2015

FWIW, it's actually an exploitable vulnerability.

@twirrim
Copy link

@twirrim twirrim commented Oct 27, 2016

Can someone with more than half a clue about the details here possibly file a CVE for it?

@tdsmith
Copy link

@tdsmith tdsmith commented Nov 20, 2016

For the curious, this is fixed on master by 8dbe0dc, but hasn't been included in a release.

mbakke pushed a commit to mbakke/guix that referenced this issue Dec 27, 2016
Python-pycrypto is an optional dependency of python-stem. Python-pycrypto is
unmaintained [0] and contains an exploitable buffer overflow bug [1].

[0] pycrypto/pycrypto#173
[1] pycrypto/pycrypto#176

* gnu/packages/python.scm (python-stem, python2-stem)[propagated-inputs]: Remove
python-pycrypto.
@FRidh FRidh mentioned this issue Jan 4, 2017
38 of 38 tasks complete
conradlink added a commit to conradlink/awesome-python that referenced this issue Jan 27, 2017
It appears pycrypto is no longer maintained and has known vulnerabilities, see:
pycrypto/pycrypto#176
pycrypto/pycrypto#173

Appears that larger projects (paramiko, ansible, twisted) have moved over to PyCA's cryptography, which is already on the list.
hguemar pushed a commit to rdo-common/python-crypto that referenced this issue Jul 18, 2017
AES.new with invalid parameter crashes python
(pycrypto/pycrypto#176)
raymontag added a commit to raymontag/kppy that referenced this issue May 16, 2018
This commit removes the usage of PyCrypto and add support for
PyCryptodome. This is necessary as PyCrypto is not maintained anymore
and seems to have serious issues. PyCryptodome is an active fork of
PyCrypto

This is referenced in pycrypto/pycrypto#173 and pycrypto/pycrypto#176.

This is an answer to the suggestion from raymontag/keepass#72
raymontag added a commit to raymontag/keepassc that referenced this issue May 16, 2018
This commit removes the usage of PyCrypto and add support for
PyCryptodome. This is necessary as PyCrypto is not maintained anymore
and seems to have serious issues. PyCryptodome is an active fork of
PyCrypto

This is referenced in pycrypto/pycrypto#173 and pycrypto/pycrypto#176.

This is an answer to the suggestion from raymontag/keepass#72
@alles-klar alles-klar mentioned this issue Jul 12, 2019
2 of 4 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants