[USN-729-1] Python Crypto vulnerability
Date: Thu, 5 Mar 2009 15:38:36 -0800
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-729-1] Python Crypto vulnerability
Message-ID: <20090305233836.GQ10132@outflux.net.>
MIME-Version: 1.0
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.64 on 10.2.0.1
X-Mailman-Approved-At: Thu, 05 Mar 2009 23:48:23 +0000
Cc: [email protected], [email protected]
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.8
Reply-To: [email protected],
Ubuntu Security <security@ubuntu.com.>
Content-Type: multipart/mixed; boundary="===============6521363937647685840=="
Mime-version: 1.0
Sender: [email protected]
Errors-To: [email protected]
X-Virus-Scanned: antivirus-gw at tyumen.ru
--===============6521363937647685840==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="oTHb8nViIGeoXxdp"
Content-Disposition: inline
--oTHb8nViIGeoXxdp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Ubuntu Security Notice USN-729-1 March 05, 2009
python-crypto vulnerability
CVE-2009-0544
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
python2.4-crypto 2.0.1+dfsg1-1ubuntu1.1
Ubuntu 7.10:
python-crypto 2.0.1+dfsg1-2ubuntu1.1
Ubuntu 8.04 LTS:
python-crypto 2.0.1+dfsg1-2.1ubuntu1.1
Ubuntu 8.10:
python-crypto 2.0.1+dfsg1-2.3ubuntu0.1
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Mike Wiacek discovered that the ARC2 implementation in Python Crypto
did not correctly check the key length. If a user or automated system
were tricked into processing a malicious ARC2 stream, a remote attacker
could execute arbitrary code or crash the application using Python Crypto,
leading to a denial of service.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1.diff.gz
Size/MD5: 10150 d118d7b4c9cbb3aba916f869d8e5f1b3
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1.dsc
Size/MD5: 770 29a123e73e9324901e415e4d2be2f323
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
Size/MD5: 158593 f81d94a506981c67188f08057d797420
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1_amd64.deb
Size/MD5: 11154 e2465021dedb713c54f7d3e814167cf2
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python2.4-crypto_2.0.1+dfsg1-1ubuntu1.1_amd64.deb
Size/MD5: 171042 61b21abd565ef958e32a4297066ce701
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1_i386.deb
Size/MD5: 11156 3f9ccecc35ad1d27b2818da0d1285b0c
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python2.4-crypto_2.0.1+dfsg1-1ubuntu1.1_i386.deb
Size/MD5: 164156 f09da47006c94472c6c5ae5a77abdcc5
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1_powerpc.deb
Size/MD5: 11158 4f9a9214e15aa7d809a7871ec4e5cefe
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python2.4-crypto_2.0.1+dfsg1-1ubuntu1.1_powerpc.deb
Size/MD5: 182392 9eae34b2b8ace41afb35fabf3199bdd8
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-1ubuntu1.1_sparc.deb
Size/MD5: 11158 a6f18647cd0130a1e64f89c5042f5277
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python2.4-crypto_2.0.1+dfsg1-1ubuntu1.1_sparc.deb
Size/MD5: 163300 e115a1d73e987e02803e3c10d1f33c55
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1.diff.gz
Size/MD5: 10952 4005a6b69726a90b63e96595f8d446ec
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1.dsc
Size/MD5: 960 6e166f36bff95826ad5739087a9dd9cd
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
Size/MD5: 158593 f81d94a506981c67188f08057d797420
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_amd64.deb
Size/MD5: 486454 ce89d8db64a1a8dee10db8cf18bb30a1
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_amd64.deb
Size/MD5: 235488 c068f30cbe72009209c43e84063b1835
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_i386.deb
Size/MD5: 447440 605251d220c5e9952a9d4cc8e9c75060
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_i386.deb
Size/MD5: 223402 7e3908d6888e172cf2154298f3f8c9f2
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_lpia.deb
Size/MD5: 443796 65776fb514a612b9a6e4a4aaa192fc5b
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_lpia.deb
Size/MD5: 220388 8ae74844b825139bbd3e635c4488cb8b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_powerpc.deb
Size/MD5: 593560 33e015af10b7a351ee39f676e23653eb
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_powerpc.deb
Size/MD5: 268382 ab1646b6dc87493c971dae32243bb242
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2ubuntu1.1_sparc.deb
Size/MD5: 461776 fc87dcebd27091b601e8ccf8e838e453
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2ubuntu1.1_sparc.deb
Size/MD5: 226284 da69ba865e86bc0447076f675d884cf5
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1.diff.gz
Size/MD5: 11223 6365ecad8f9d716b7c068ab51dd93869
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1.dsc
Size/MD5: 946 f9a5983f25d35bedcc72a2a5fdd052e3
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
Size/MD5: 158593 f81d94a506981c67188f08057d797420
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_amd64.deb
Size/MD5: 568060 aa46cf0d6adc7b0299debc303df435d1
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_amd64.deb
Size/MD5: 228736 e5543d872c3562e602408cdb39b03f63
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_i386.deb
Size/MD5: 514430 759b824c6389630b91b2da9e21a86a01
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_i386.deb
Size/MD5: 216922 b4eae87002c9c0a7f18abd9884004a49
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_lpia.deb
Size/MD5: 514468 bbf6e3cfa3fdfa1b0e2f89a03dd54ab8
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_lpia.deb
Size/MD5: 216380 1f5250946df65f9d44e9027d2b397152
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_powerpc.deb
Size/MD5: 676536 334c5ed43ad9cbf7a521045ddbeae7d8
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_powerpc.deb
Size/MD5: 258370 c70b751e7ef892ecbf0f5567b16719a0
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.1ubuntu1.1_sparc.deb
Size/MD5: 511630 ebfb3ca90c327363f19ececcba509a1f
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.1ubuntu1.1_sparc.deb
Size/MD5: 221378 d98e810a1204c8b83749f19f91210a7b
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1.diff.gz
Size/MD5: 10354 37fb59b427446ceed5ed5a0800797e26
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1.dsc
Size/MD5: 1424 41f352a397b85569bc23d0b85f194ed0
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1.orig.tar.gz
Size/MD5: 158593 f81d94a506981c67188f08057d797420
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_amd64.deb
Size/MD5: 552134 3857f8511956365a9c131c263d82b933
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_amd64.deb
Size/MD5: 227784 9349f0d14face27e266dfd4494d9e903
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_i386.deb
Size/MD5: 521518 0d33597259beac8b9b07cb5389b5bac3
http://security.ubuntu.com/ubuntu/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_i386.deb
Size/MD5: 221226 44f0cbc17dfefef5e250fc547464dd8b
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_lpia.deb
Size/MD5: 521772 3375c209c1628434943694b85496ab4f
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_lpia.deb
Size/MD5: 219324 612edcbece0f14f9903bc9e3b08790a3
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_powerpc.deb
Size/MD5: 682374 b4f032ad1611e4980a1caef7214b68f5
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_powerpc.deb
Size/MD5: 269794 1dce6263c85c8cab3c03a104782f1b86
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto-dbg_2.0.1+dfsg1-2.3ubuntu0.1_sparc.deb
Size/MD5: 512496 000f4c1d74291b6db92668a7c845c9b4
http://ports.ubuntu.com/pool/main/p/python-crypto/python-crypto_2.0.1+dfsg1-2.3ubuntu0.1_sparc.deb
Size/MD5: 223042 0b52a4785c733bc85ff28640781f4b4a
--oTHb8nViIGeoXxdp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook <kees@outflux.net.>
iEYEARECAAYFAkmwYnwACgkQH/9LqRcGPm3APgCfe9zlXXc0/wbyhhnIBit56GyC
n6IAnjGnz+XoznwVzgPE+gyEYUmXS5en
=82lB
-----END PGP SIGNATURE-----
--oTHb8nViIGeoXxdp--
--===============6521363937647685840==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--
ubuntu-security-announce mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
--===============6521363937647685840==--