Issue 3886: Integer overflow in _hashopenssl.c (CVE-2008-2316) (original) (raw)

Created on 2008-09-17 01:01 by brett.cannon, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
CVE-2008-2316-trunk.diff	brett.cannon,2008-09-17 01:01	Sent to PSRT

Messages (11)
msg73321 - (view)	Author: Brett Cannon (brett.cannon) *	Date: 2008-09-17 01:01
CVE-2008-2316 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316) notes that _hashopenssl.c has a potential integer overflow. Attached is the patch sent to PSRT.
msg73343 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2008-09-17 20:49
I'm ok with this patch.
msg73349 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2008-09-18 01:23
Fixed in r66496.
msg73350 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2008-09-18 01:39
Hmm. It's seems 3.0 will require a different patch. I can't get the merging to work...
msg73372 - (view)	Author: Ralf Schmitt (schmir)	Date: 2008-09-18 11:51
http://bugs.python.org/issue3026 is about the same issue (with a working patch added 2 months ago). It's really sad that it sat there for so long. I could have spent that time on something else... (btw. my patch also made the hash functions interruptible, this is something you might consider).
msg73374 - (view)	Author: Martin v. Löwis (loewis) *	Date: 2008-09-18 12:05
As a security issue, the patch should also be backport to 2.5 (and 2.4 if applicable)
msg73392 - (view)	Author: Brett Cannon (brett.cannon) *	Date: 2008-09-18 17:31
Sorry about missing your work, Ralf. In the rush to getting a fix in for 2.6rc2 we went with the patch Apple sent to the security mailing list when the CVE was reported to us. And 2.5 has already been patched by r66497, so removing that as a version that needs a patch.
msg73402 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2008-09-18 21:47
hashlib doesn't exist in Python 2.4, so I'm not very worried about it. :)
msg73406 - (view)	Author: Gregory P. Smith (gregory.p.smith) *	Date: 2008-09-18 22:29
Python 2.4 uses an 'int' for ob_size so it does not appear at first glance that its sha module (what hashlib was derived from) is susceptible to this bug when compiled as 64-bit.
msg73760 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2008-09-24 22:54
Got 3.0 in r66615. Somebody should really test it, though.
msg73900 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2008-09-26 22:25
I'm going to close this because 2.5, 2.6, and 3.0 have been patched. Gregory, if you're concerned about 2.4, I think you should make a different issue.

History
Date	User	Action	Args
2022-04-11 14:56:39	admin	set	github: 48136
2008-09-26 22:25:31	benjamin.peterson	set	status: open -> closedresolution: fixedmessages: + keywords:patch, patch, 64bit
2008-09-26 22:20:37	barry	set	priority: release blocker -> deferred blockerkeywords:patch, patch, 64bit
2008-09-24 22:54:36	benjamin.peterson	set	keywords:patch, patch, 64bitmessages: +
2008-09-18 22:29:19	gregory.p.smith	set	keywords: + 64bitnosy: + gregory.p.smithmessages: + versions: - Python 2.4
2008-09-18 21:47:04	benjamin.peterson	set	keywords:patch, patchmessages: +
2008-09-18 17:31:39	brett.cannon	set	keywords:patch, patchmessages: + versions: - Python 2.5
2008-09-18 12:05:26	loewis	set	keywords:patch, patchnosy: + loewismessages: + versions: + Python 2.5, Python 2.4
2008-09-18 11:51:29	schmir	set	nosy: + schmirmessages: +
2008-09-18 05:43:53	barry	set	priority: deferred blocker -> release blockerkeywords:patch, patch
2008-09-18 01:39:44	benjamin.peterson	set	status: closed -> openversions: - Python 2.6messages: + priority: release blocker -> deferred blockerkeywords:patch, patchresolution: fixed -> (no value)
2008-09-18 01:23:22	benjamin.peterson	set	status: open -> closedkeywords:patch, patchresolution: fixedmessages: +
2008-09-17 20:49:36	benjamin.peterson	set	keywords:patch, patchnosy: + benjamin.petersonmessages: +
2008-09-17 17:06:35	matejcik	set	nosy: + matejcik
2008-09-17 01:01:57	brett.cannon	create