CVE-2013-7459

NameCVE-2013-7459
DescriptionHeap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-773-1
NVD severityhigh (attack range: remote)
Debian Bugs849495

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-crypto (PTS)jessie2.6.1-5+deb8u1fixed
stretch2.6.1-7fixed
buster, sid2.6.1-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-cryptosource(unstable)2.6.1-7high849495
python-cryptosourcejessie2.6.1-5+deb8u1high
python-cryptosourcewheezy2.6-4+deb7u4highDLA-773-1

Notes

https://github.com/dlitz/pycrypto/issues/176
Fixed by: https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
All users of pycrypto's AES module in Debian that allow the mode
of operation to be specified from outside check for ECB explicitly
and create the objects without specifying an IV.

Search for package or bug name: Reporting problems