| Name | CVE-2018-15560 |
| Description | PyCryptodome before 3.6.6 has an integer overflow in the data_len variable in AESNI.c, related to the AESNI_encrypt and AESNI_decrypt functions, leading to the mishandling of messages shorter than 16 bytes. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| pycryptodome (PTS) | bullseye | 3.9.7+dfsg1-1 | fixed |
| bookworm | 3.11.0+dfsg1-4 | fixed |
| sid, trixie | 3.20.0+dfsg-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| pycryptodome | source | (unstable) | (not affected) | | | |
Notes
- pycryptodome <not-affected> (Vulnerable code introduced later)
https://github.com/Legrandin/pycryptodome/issues/198
Introduced by: https://github.com/Legrandin/pycryptodome/commit/e1c7272f732abf3f2e2ea1326444ccbd339d17f2 (3.6.2)
Fixed by: https://github.com/Legrandin/pycryptodome/commit/d1739c62b9b845f8a5b342de08d6bf6e2722d247 (3.6.6)