homepage

CVE-2008-2316
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2316) notes that
_hashopenssl.c has a potential integer overflow. Attached is the patch
sent to PSRT.

I'm ok with this patch.

Fixed in r66496.

Hmm. It's seems 3.0 will require a different patch. I can't get the
merging to work...

http://bugs.python.org/issue3026 is about the same issue (with a working
patch added 2 months ago). It's really sad that it sat there for so
long. I could have spent that time on something else...
(btw. my patch also made the hash functions interruptible, this is
something you might consider).

As a security issue, the patch should also be backport to 2.5 (and 2.4
if applicable)

Sorry about missing your work, Ralf. In the rush to getting a fix in for
2.6rc2 we went with the patch Apple sent to the security mailing list
when the CVE was reported to us.
And 2.5 has already been patched by r66497, so removing that as a
version that needs a patch.

hashlib doesn't exist in Python 2.4, so I'm not very worried about it. :)

Python 2.4 uses an 'int' for ob_size so it does not appear at first
glance that its sha module (what hashlib was derived from) is
susceptible to this bug when compiled as 64-bit.

Got 3.0 in r66615. Somebody should really test it, though.

I'm going to close this because 2.5, 2.6, and 3.0 have been patched.
Gregory, if you're concerned about 2.4, I think you should make a
different issue.