Bug 28384 - python-cryptography new security issue CVE-2020-36242
Summary: python-cryptography new security issue CVE-2020-36242
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-20 09:07 CET by Zombie Ryushu
Modified: 2021-03-12 02:27 CET (History)
4 users (show)

See Also:
Source RPM: python-cryptography-3.3.1-1.mga8.src.rpm
CVE: CVE-2020-36242
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2021-02-20 09:07:19 CET 
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Zombie Ryushu 2021-02-20 09:07:30 CET

CVE: (none) => CVE-2020-36242

Comment 1 Aurelien Oudelet 2021-02-20 13:22:03 CET 
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Fedora has issued an advisory for this on February 12th 2021:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/

Upstream changelog here:
https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst

Assignee: bugsquad => makowski.mageia
Whiteboard: (none) => MGA7TOO MGA8TOO
CC: (none) => ouaurelien

David Walser 2021-02-20 18:42:18 CET

Summary: python-cryptography Security issue CVE-2020-36242 => python-cryptography new security issue CVE-2020-36242
Status comment: (none) => Fixed upstream in 3.3.2
Severity: normal => major

Comment 2 David Walser 2021-02-27 19:21:41 CET 
Fedora has issued an advisory for this on February 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
Comment 3 Nicolas Lécureuil 2021-02-27 22:31:44 CET 
mageia 7 does not seems impacted:
https://github.com/saltstack/salt/commit/db4981505269292ff98e64464e2a56f38333cba9

and the code to fix does not exist.

src:

    - python-cryptography-3.3.1-1.1.mga8

Status comment: Fixed upstream in 3.3.2 => (none)
CC: (none) => mageia
Assignee: makowski.mageia => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA7TOO MGA8TOO => (none)

Comment 4 David Walser 2021-02-27 23:44:10 CET 
RPM:
python3-cryptography-3.3.1-1.1.mga8
Comment 5 Thomas Andrews 2021-03-10 16:41:33 CET 
No installation issues.

Referenced BUG 27567 for tests (Thank you, Herman)

$ python -c 'import cryptography;print(cryptography.__version__)'
3.3.1
$ python3 -c 'import cryptography;print(cryptography.__version__)'
3.3.1

Looks OK here. Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Aurelien Oudelet 2021-03-11 23:47:00 CET 
Advisory:

type: security
subject: Updated python-cryptography package fixes a security vulnerability
CVE:
 - CVE-2020-36242
src:
  8:
   core:
     - python3-cryptography-3.3.1-1.1.mga8
description: |
  In the cryptography package before 3.3.2 for Python, certain sequences of
  update calls to symmetrically encrypt multi-GB values could result in an
  integer overflow and buffer overflow (CVE-2020-36242).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28384
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/

Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-03-12 02:27:48 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0129.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.