oss-sec mailing list archives
Re: CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string
From: <cve-assign () mitre org>
Date: Wed, 9 Nov 2016 00:44:42 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
1.5.3 - 2016-11-05 * Security issue: Fixed a bug where HKDF would return an empty byte-string if used with a length less than algorithm.digest_size. Credit to Markus Doering for reporting the issue. https://cryptography.io/en/latest/changelog/#id1 https://github.com/pyca/cryptography/issues/3211 https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874
hazmat/primitives/kdf/hkdf.py - while (self._algorithm.digest_size // 8) * len(output) < self._length: + while self._algorithm.digest_size * (len(output) - 1) < self._length:
Use CVE-2016-9243. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYIrdLAAoJEHb/MwWLVhi20v8P/12FFKS4lmHBohPiqZfVYIVf FVVBabdQeQKkm/T/zs+Dn0itq4FZX/jo3GYiJfC9zX7EPtmOq6QQQmKZImDeD72m Tt3eMzUCdN5ofWm9+QHzi4Bg9Gh5ZtTQU1VppMslSxKCl5bB5kliEr+KH5iBndCw ElvNUpqsODuqiajKwY5F+jTu7wazdxbG8vGds2dTy19SsBx+xOTP4wFt5vIKc4TN s06d5AV7qJ9fZkXQgR62T2+huElM0yCYf7qx7B36YyT8Sj4pKrLAm/QdMx8e5azn gEmvp6afOtXv+o+lqXQcsExQtHEz3W0ezVCsAZqA4ckGxSxcNZ2JwfQQizO/kHVK +TMkYnMchlr80ev61VTV7AbXTnn/RHbHkHQA3nRRKXbR+umqzpcrpB4wFELwLqw9 hchlE5DebRoYGVSiFPTKsTmYca2OelbmEQcz7fRbaha1g2G6BoR9/bRPfZTj7PBk J1yHdJqfF15EQUamOUpzSAzNubHly0jdOKNSE2kUMWZFCsDcvbsC/Hsvn2YXn7We KlMWBZ7z1BdC7UEuNpDozVG9Dc62gX187+czppqmAaw9BD9cGH92QVghTsZ5Zxj3 UXrP0nt96ImQC/OlDVcdpUvqKE77K2Zb5OVFWLgU69VyaUc/oRMch6TgJ4VpCm6/ elSR/llcBZcHjvKLrYwP =4CW6 -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string Andrej Nemec (Nov 08)
- Re: CVE Request: Cryptography 1.5.3: HKDF might return an empty byte-string cve-assign (Nov 08)