CVE-2020-36242

Description

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

References

• https://security.archlinux.org/ASA-202102-36
• https://github.com/pyca/cryptography/security/advisories/GHSA-rhm9-p9w5-fwm7
• https://nvd.nist.gov/vuln/detail/CVE-2020-36242
• https://github.com/pyca/cryptography/issues/5615
• https://github.com/pyca/cryptography/commit/82b6ce28389f0a317bc55ba2091a74b346db7cae
• https://github.com/advisories/GHSA-rhm9-p9w5-fwm7
• https://github.com/pyca/cryptography
• https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
• https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
• https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-63.yaml
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
• https://www.suse.com/security/cve/CVE-2020-36242.html
• https://errata.rockylinux.org/RLSA-2021:1608
• https://security-tracker.debian.org/tracker/CVE-2020-36242