CVE-2013-7459

NameCVE-2013-7459
DescriptionHeap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-773-1
NVD severityhigh
Debian Bugs849495

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-crypto (PTS)stretch2.6.1-7fixed
buster2.6.1-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-cryptosourcewheezy2.6-4+deb7u4DLA-773-1
python-cryptosourcejessie2.6.1-5+deb8u1
python-cryptosource(unstable)2.6.1-7849495

Notes

https://github.com/dlitz/pycrypto/issues/176
Fixed by: https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
All users of pycrypto's AES module in Debian that allow the mode
of operation to be specified from outside check for ECB explicitly
and create the objects without specifying an IV.

Search for package or bug name: Reporting problems