CVE-2013-7459

Source
Severity Critical
Remote Yes
Type Arbitrary code execution
Description
A heap-buffer overflow vulnerability was discovered in pycrypto leading to arbitrary code execution. All users of pycrypto's AES module that allow the mode of operation to be specified by an attacker, check for ECB explicitly and create the objects without specifying an IV are vulnerable to this issue.
Group Package Affected Fixed Severity Status Ticket
AVG-118 python-crypto, python2-crypto 2.6.1-4 2.6.1-5 Critical Fixed
Date Advisory Group Package Severity Description
15 Jan 2017 ASA-201701-26 AVG-118 python-crypto Critical arbitrary code execution
15 Jan 2017 ASA-201701-25 AVG-118 python2-crypto Critical arbitrary code execution
References
https://github.com/dlitz/pycrypto/issues/176
https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4
http://seclists.org/oss-sec/2016/q4/760
Notes
folowing code causes crash:
>>> from Crypto.Cipher import AES
>>> AES.new(b'\000' * 16, AES.MODE_ECB, b'\000' * 555)
<Crypto.Cipher.AES.AESCipher instance at 0x7f727e0afcf8>
*** Error in `python2': malloc(): memory corruption: 0x000055aa93800c00 ***