lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090305233836.GQ10132@outflux.net>
Date: Thu, 5 Mar 2009 15:38:36 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-729-1] Python Crypto vulnerability

===========================================================
Ubuntu Security Notice USN-729-1             March 05, 2009
python-crypto vulnerability
CVE-2009-0544
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  python2.4-crypto                2.0.1+dfsg1-1ubuntu1.1

Ubuntu 7.10:
  python-crypto                   2.0.1+dfsg1-2ubuntu1.1

Ubuntu 8.04 LTS:
  python-crypto                   2.0.1+dfsg1-2.1ubuntu1.1

Ubuntu 8.10:
  python-crypto                   2.0.1+dfsg1-2.3ubuntu0.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Mike Wiacek discovered that the ARC2 implementation in Python Crypto
did not correctly check the key length.  If a user or automated system
were tricked into processing a malicious ARC2 stream, a remote attacker
could execute arbitrary code or crash the application using Python Crypto,
leading to a denial of service.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1.diff.gz
      Size/MD5:    10150 d118d7b4c9cbb3aba916f869d8e5f1b3
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1.dsc
      Size/MD5:      770 29a123e73e9324901e415e4d2be2f323
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
      Size/MD5:   158593 f81d94a506981c67188f08057d797420

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1_amd64.deb
      Size/MD5:    11154 e2465021dedb713c54f7d3e814167cf2
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python2.4-crypto_2.0.1+dfsg1-1ubuntu1.1_amd64.deb
      Size/MD5:   171042 61b21abd565ef958e32a4297066ce701

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1_i386.deb
      Size/MD5:    11156 3f9ccecc35ad1d27b2818da0d1285b0c
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python2.4-crypto_2.0.1+dfsg1-1ubuntu1.1_i386.deb
      Size/MD5:   164156 f09da47006c94472c6c5ae5a77abdcc5

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1_powerpc.deb
      Size/MD5:    11158 4f9a9214e15aa7d809a7871ec4e5cefe
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python2.4-crypto_2.0.1+dfsg1-1ubuntu1.1_powerpc.deb
      Size/MD5:   182392 9eae34b2b8ace41afb35fabf3199bdd8

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1_sparc.deb
      Size/MD5:    11158 a6f18647cd0130a1e64f89c5042f5277
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python2.4-crypto_2.0.1+dfsg1-1ubuntu1.1_sparc.deb
      Size/MD5:   163300 e115a1d73e987e02803e3c10d1f33c55

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1.diff.gz
      Size/MD5:    10952 4005a6b69726a90b63e96595f8d446ec
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1.dsc
      Size/MD5:      960 6e166f36bff95826ad5739087a9dd9cd
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
      Size/MD5:   158593 f81d94a506981c67188f08057d797420

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_amd64.deb
      Size/MD5:   486454 ce89d8db64a1a8dee10db8cf18bb30a1
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_amd64.deb
      Size/MD5:   235488 c068f30cbe72009209c43e84063b1835

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_i386.deb
      Size/MD5:   447440 605251d220c5e9952a9d4cc8e9c75060
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_i386.deb
      Size/MD5:   223402 7e3908d6888e172cf2154298f3f8c9f2

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_lpia.deb
      Size/MD5:   443796 65776fb514a612b9a6e4a4aaa192fc5b
    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_lpia.deb
      Size/MD5:   220388 8ae74844b825139bbd3e635c4488cb8b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_powerpc.deb
      Size/MD5:   593560 33e015af10b7a351ee39f676e23653eb
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_powerpc.deb
      Size/MD5:   268382 ab1646b6dc87493c971dae32243bb242

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_sparc.deb
      Size/MD5:   461776 fc87dcebd27091b601e8ccf8e838e453
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_sparc.deb
      Size/MD5:   226284 da69ba865e86bc0447076f675d884cf5

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1.diff.gz
      Size/MD5:    11223 6365ecad8f9d716b7c068ab51dd93869
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1.dsc
      Size/MD5:      946 f9a5983f25d35bedcc72a2a5fdd052e3
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
      Size/MD5:   158593 f81d94a506981c67188f08057d797420

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_amd64.deb
      Size/MD5:   568060 aa46cf0d6adc7b0299debc303df435d1
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_amd64.deb
      Size/MD5:   228736 e5543d872c3562e602408cdb39b03f63

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_i386.deb
      Size/MD5:   514430 759b824c6389630b91b2da9e21a86a01
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_i386.deb
      Size/MD5:   216922 b4eae87002c9c0a7f18abd9884004a49

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_lpia.deb
      Size/MD5:   514468 bbf6e3cfa3fdfa1b0e2f89a03dd54ab8
    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_lpia.deb
      Size/MD5:   216380 1f5250946df65f9d44e9027d2b397152

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_powerpc.deb
      Size/MD5:   676536 334c5ed43ad9cbf7a521045ddbeae7d8
    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_powerpc.deb
      Size/MD5:   258370 c70b751e7ef892ecbf0f5567b16719a0

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_sparc.deb
      Size/MD5:   511630 ebfb3ca90c327363f19ececcba509a1f
    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_sparc.deb
      Size/MD5:   221378 d98e810a1204c8b83749f19f91210a7b

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1.diff.gz
      Size/MD5:    10354 37fb59b427446ceed5ed5a0800797e26
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1.dsc
      Size/MD5:     1424 41f352a397b85569bc23d0b85f194ed0
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
      Size/MD5:   158593 f81d94a506981c67188f08057d797420

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_amd64.deb
      Size/MD5:   552134 3857f8511956365a9c131c263d82b933
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_amd64.deb
      Size/MD5:   227784 9349f0d14face27e266dfd4494d9e903

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_i386.deb
      Size/MD5:   521518 0d33597259beac8b9b07cb5389b5bac3
    http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_i386.deb
      Size/MD5:   221226 44f0cbc17dfefef5e250fc547464dd8b

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_lpia.deb
      Size/MD5:   521772 3375c209c1628434943694b85496ab4f
    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_lpia.deb
      Size/MD5:   219324 612edcbece0f14f9903bc9e3b08790a3

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_powerpc.deb
      Size/MD5:   682374 b4f032ad1611e4980a1caef7214b68f5
    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_powerpc.deb
      Size/MD5:   269794 1dce6263c85c8cab3c03a104782f1b86

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_sparc.deb
      Size/MD5:   512496 000f4c1d74291b6db92668a7c845c9b4
    http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_sparc.deb
      Size/MD5:   223042 0b52a4785c733bc85ff28640781f4b4a


Download attachment "signature.asc" of type "application/pgp-signature" (236 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ