Fedora has issued an advisory today (November 19): https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172083.html Note that the URL in the package also needs to be updated (see Fedora). Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
updated to python-m2crypto-0.22.5 and patched in Cauldron mga6 and in mga5 In 5/core/update_testing : python-m2crypto-0.22.5-1.mga5.i586 python-m2crypto-0.22.5-1.mga5.x86_64 from : python-m2crypto-0.22.5-1.mga5.src In 6/core/release : python-m2crypto-0.22.5-1.mga6.i586 python-m2crypto-0.22.5-1.mga6.x86_64 from : python-m2crypto-0.22.5-1.mga6.src
Assignee: makowski.mageia => security
Advisory: ======================== Updated python-m2crypto package fixes security vulnerability: A bug was found in pbkdf2 function of m2crypto package, such that when given a 74 byte result, a buffer overflow occurs leading to crash of the application (rhbz#1271165). References: https://lists.fedoraproject.org/pipermail/package-announce/2015-November/172083.html
Version: Cauldron => 5Assignee: security => qa-bugsWhiteboard: MGA5TOO => (none)
CC: (none) => davidwhodginsWhiteboard: (none) => advisory
mga5 x86_64 Mate $ sudo urpmi python-m2crypto Package python-m2crypto-0.22.3-5.mga5.x86_64 is already installed Ran the interactive python test as described in the reference URL: $ python >>> import M2Crypto >>> M2Crypto.EVP.pbkdf2('foo', 'abc', 1, 74) *** stack smashing detected ***: python terminated ======= Backtrace: ========= /lib64/libc.so.6(+0x7241e)[0x7fc15f32441e] ..... 7fc15d262000-7fc15d461000 ---p 0001a000 08:03 27263891 /usr/lib64/libz.so.1.2.8Abort Updated to python-m2crypto-0.22.5-1 and ran the test again $ python Python 2.7.9 (default, Dec 14 2014, 10:12:16) [GCC 4.9.2] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import M2Crypto >>> M2Crypto.EVP.pbkdf2('foo', 'abc', 1, 74) '2n\x13\xdd\xab\xb1N\xbc\xc0\xb3\x16\x85\xb1_(#\x02\xe6\x92L\xf6\xb6\xf8<\x80\xb7v\xc8\xec\x83tZ\xfd4\x9f\r\xea>?\x1d\xbb\x9b\xe3\xe1"\xc9W\x9e\x80\xdc\x0e\x16t\x06\x8e\x86~q\x82\xd2,\xaaa\xb1\x06+4k\x1dg\xf7CXF' >>> exit() Assuming that this is an expected result, 64-bit OK.
CC: (none) => tarazed25
Whiteboard: advisory => has_procedure advisory MGA5-64-OK
mga5 i586 in vbox Mate $ sudo urpmi python-m2crypto installing python-m2crypto-0.22.3-5.mga5.i586.rpm from /var/cache/urpmi/rpms $ python >>> import M2Crypto >>> M2Crypto.EVP.pbkdf2('foo', 'abc', 1, 74) *** stack smashing detected ***: python terminated Backtrace then the abort message. After update: Ran the test as above and it returned precisely the same encryption information as in the 64-bit test.
Whiteboard: has_procedure advisory MGA5-64-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Well done Len
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0458.html
Status: NEW => RESOLVEDResolution: (none) => FIXED