Published: 07 February 2021
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
CVSS 3 base score: 9.1
Launchpad, Ubuntu, Debian
|Ubuntu 21.04 (Hirsute Hippo)||
|Ubuntu 20.10 (Groovy Gorilla)||
|Ubuntu 20.04 LTS (Focal Fossa)||
|Ubuntu 18.04 LTS (Bionic Beaver)||
|Ubuntu 16.04 LTS (Xenial Xerus)||
|Ubuntu 14.04 ESM (Trusty Tahr)||
Does not exist
Versions in groovy and earlier don't support chunking in update_into. Attempting reproducer on groovy and focal errors out with: OverflowError: integer 4294967296 does not fit '32-bit int' which seems to indicate there is a size check being performed and they aren't vulnerable to this issue.