Name | CVE-2013-7459 |
Description | Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-773-1 |
Debian Bugs | 849495 |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
python-crypto | source | wheezy | 2.6-4+deb7u4 | DLA-773-1 | ||
python-crypto | source | jessie | 2.6.1-5+deb8u1 | |||
python-crypto | source | (unstable) | 2.6.1-7 | 849495 |
https://github.com/dlitz/pycrypto/issues/176
Fixed by: https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
All users of pycrypto's AES module in Debian that allow the mode
of operation to be specified from outside check for ECB explicitly
and create the objects without specifying an IV.