Candidate: CVE-2020-36242
PublicDate: 2021-02-07 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36242
 https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
 https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
Description:
 In the cryptography package before 3.3.2 for Python, certain sequences of
 update calls to symmetrically encrypt multi-GB values could result in an
 integer overflow and buffer overflow, as demonstrated by the Fernet class.
Ubuntu-Description:
Notes:
 mdeslaur> Versions in groovy and earlier don't support chunking in
 mdeslaur> update_into. Attempting reproducer on groovy and focal errors
 mdeslaur> out with:
 mdeslaur> OverflowError: integer 4294967296 does not fit '32-bit int'
 mdeslaur> which seems to indicate there is a size check being performed
 mdeslaur> and they aren't vulnerable to this issue.
Mitigation:
Bugs:
 https://github.com/pyca/cryptography/issues/5615
Priority: medium
Discovered-by: Anders Wenhaug
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H [9.1 CRITICAL]


Patches_python-cryptography:
 upstream: https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae
upstream_python-cryptography: released (3.3.2)
precise/esm_python-cryptography: DNE
trusty_python-cryptography: ignored (out of standard support)
trusty/esm_python-cryptography: DNE
xenial_python-cryptography: not-affected (1.2.3-1ubuntu0.3)
esm-infra/xenial_python-cryptography: not-affected (1.2.3-1ubuntu0.3)
bionic_python-cryptography: not-affected (2.1.4-1ubuntu1.4)
focal_python-cryptography: not-affected (2.8-3ubuntu0.1)
groovy_python-cryptography: not-affected (3.0-1ubuntu0.1)
devel_python-cryptography: released (3.3.2-1)