Integer overflow in _hashopenssl.c (CVE-2008-2316)

[brettcannon]

BPO	3886
Nosy	@loewis, @brettcannon, @gpshead, @matejcik, @benjaminp
Files	CVE-2008-2316-trunk.diff: Sent to PSRT

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2008-09-26.22:25:31.915>
created_at = <Date 2008-09-17.01:01:57.653>
labels = ['type-security', 'extension-modules', 'deferred-blocker']
title = 'Integer overflow in _hashopenssl.c (CVE-2008-2316)'
updated_at = <Date 2008-09-26.22:25:31.913>
user = 'https://github.com/brettcannon'

bugs.python.org fields:

activity = <Date 2008-09-26.22:25:31.913>
actor = 'benjamin.peterson'
assignee = 'none'
closed = True
closed_date = <Date 2008-09-26.22:25:31.915>
closer = 'benjamin.peterson'
components = ['Extension Modules']
creation = <Date 2008-09-17.01:01:57.653>
creator = 'brett.cannon'
dependencies = []
files = ['11507']
hgrepos = []
issue_num = 3886
keywords = ['patch', '64bit']
message_count = 11.0
messages = ['73321', '73343', '73349', '73350', '73372', '73374', '73392', '73402', '73406', '73760', '73900']
nosy_count = 6.0
nosy_names = ['loewis', 'brett.cannon', 'gregory.p.smith', 'schmir', 'matejcik', 'benjamin.peterson']
pr_nums = []
priority = 'deferred blocker'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue3886'
versions = ['Python 3.0']

[brettcannon]

CVE-2008-2316
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316) notes that
_hashopenssl.c has a potential integer overflow. Attached is the patch
sent to PSRT.

[benjaminp]

I'm ok with this patch.

[benjaminp]

Fixed in r66496.

[benjaminp]

Hmm. It's seems 3.0 will require a different patch. I can't get the
merging to work...

[schmir]

http://bugs.python.org/issue3026 is about the same issue (with a working
patch added 2 months ago). It's really sad that it sat there for so
long. I could have spent that time on something else...

(btw. my patch also made the hash functions interruptible, this is
something you might consider).

[loewis]

As a security issue, the patch should also be backport to 2.5 (and 2.4
if applicable)

[brettcannon]

Sorry about missing your work, Ralf. In the rush to getting a fix in for
2.6rc2 we went with the patch Apple sent to the security mailing list
when the CVE was reported to us.

And 2.5 has already been patched by r66497, so removing that as a
version that needs a patch.

[benjaminp]

hashlib doesn't exist in Python 2.4, so I'm not very worried about it. :)

[gpshead]

Python 2.4 uses an 'int' for ob_size so it does not appear at first
glance that its sha module (what hashlib was derived from) is
susceptible to this bug when compiled as 64-bit.

[benjaminp]

Got 3.0 in r66615. Somebody should really test it, though.

[benjaminp]

I'm going to close this because 2.5, 2.6, and 3.0 have been patched.
Gregory, if you're concerned about 2.4, I think you should make a
different issue.