Candidate: CVE-2018-15560
PublicDate: 2018-08-20 00:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15560
 https://github.com/Legrandin/pycryptodome/issues/198
 https://whitehatck01.blogspot.com/2018/08/integer-overflow-vulnerability-in.html
Description:
 PyCryptodome before 3.6.6 has an integer overflow in the data_len variable
 in AESNI.c, related to the AESNI_encrypt and AESNI_decrypt functions,
 leading to the mishandling of messages shorter than 16 bytes.
Ubuntu-Description:
Notes:
 leosilva> tested with poc file and not affected.
 leosilva> ECB/AES need exactly 16block size of muiltiple size to
 leosilva> working according with the lib. Otherwise it gives a ValueError,
 leosilva> what is normal and expected in the lib.
 leosilva> Also, code affected not present in bionic or cosmic.
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_pycryptodome:
upstream_pycryptodome: released (3.6.6)
precise/esm_pycryptodome: DNE
trusty_pycryptodome: DNE
trusty/esm_pycryptodome: DNE
xenial_pycryptodome: DNE
bionic_pycryptodome: not-affected (code not present)
devel_pycryptodome: not-affected (code not present)