Joined: 12 May 2004
|Posted: Mon Mar 09, 2009 2:26 pm Post subject: [ GLSA 200903-11 ] PyCrypto: Execution of arbitrary code
|Gentoo Linux Security Advisory
Title: PyCrypto: Execution of arbitrary code (GLSA 200903-11)
Date: March 09, 2009
A buffer overflow in PyCrypto might lead to the execution of arbitrary code
when decrypting using ARC2.
PyCrypto is the Python Cryptography Toolkit.
Vulnerable: < 2.0.1-r8
Unaffected: >= 2.0.1-r8
Architectures: All supported architectures
Mike Wiacek of the Google Security Team reported a buffer overflow in
the ARC2 module when processing a large ARC2 key length.
A remote attacker could entice a user or automated system to decrypt an
ARC2 stream in an application using PyCrypto, possibly resulting in the
execution of arbitrary code or a Denial of Service.
There is no known workaround at this time.
All PyCrypto users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-python/pycrypto-2.0.1-r8"
Last edited by GLSA on Mon May 06, 2013 4:28 am; edited 4 times in total