Bug 28384

Summary: python-cryptography new security issue CVE-2020-36242
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-36242
Whiteboard: MGA8-64-OK
Source RPM: python-cryptography-3.3.1-1.mga8.src.rpm CVE: CVE-2020-36242
Status comment:

Description Zombie Ryushu 2021-02-20 09:07:19 CET 
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Zombie Ryushu 2021-02-20 09:07:30 CET

CVE: (none) => CVE-2020-36242

Comment 1 Aurelien Oudelet 2021-02-20 13:22:03 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Fedora has issued an advisory for this on February 12th 2021:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/

Upstream changelog here:
https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst

Assignee: bugsquad => makowski.mageia
Whiteboard: (none) => MGA7TOO MGA8TOO
CC: (none) => ouaurelien

David Walser 2021-02-20 18:42:18 CET

Summary: python-cryptography Security issue CVE-2020-36242 => python-cryptography new security issue CVE-2020-36242
Status comment: (none) => Fixed upstream in 3.3.2
Severity: normal => major

Comment 2 David Walser 2021-02-27 19:21:41 CET 
Fedora has issued an advisory for this on February 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
Comment 3 Nicolas Lécureuil 2021-02-27 22:31:44 CET 
mageia 7 does not seems impacted:
https://github.com/saltstack/salt/commit/db4981505269292ff98e64464e2a56f38333cba9

and the code to fix does not exist.

src:

    - python-cryptography-3.3.1-1.1.mga8

Status comment: Fixed upstream in 3.3.2 => (none)
CC: (none) => mageia
Assignee: makowski.mageia => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA7TOO MGA8TOO => (none)

Comment 4 David Walser 2021-02-27 23:44:10 CET 
RPM:
python3-cryptography-3.3.1-1.1.mga8
Comment 5 Thomas Andrews 2021-03-10 16:41:33 CET 
No installation issues.

Referenced BUG 27567 for tests (Thank you, Herman)

$ python -c 'import cryptography;print(cryptography.__version__)'
3.3.1
$ python3 -c 'import cryptography;print(cryptography.__version__)'
3.3.1

Looks OK here. Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-03-11 23:47:00 CET 
Advisory:

type: security
subject: Updated python-cryptography package fixes a security vulnerability
CVE:
 - CVE-2020-36242
src:
  8:
   core:
     - python3-cryptography-3.3.1-1.1.mga8
description: |
  In the cryptography package before 3.3.2 for Python, certain sequences of
  update calls to symmetrically encrypt multi-GB values could result in an
  integer overflow and buffer overflow (CVE-2020-36242).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28384
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-03-12 02:27:48 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0129.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED