[pycrypto] Buffer overflow in ARC2.new() with len(key) > 128 bytes

Dwayne C. Litzenberger dlitz at dlitz.net
Sat Feb 28 12:06:26 CST 2009

On Fri, Feb 06, 2009 at 07:39:14PM -0500, Dwayne C. Litzenberger wrote:
>Mike Wiacek from the Google Security Team pointed out a buffer overflow in 
>PyCrypto's ARC2 cipher module, which occurs when attempting to initialize 
>ARC2 with a key longer than 128 bytes.

For future reference, this issue has been assigned CVE-2009-0544, and 
Debian DSA 1726:


Dwayne C. Litzenberger <dlitz at dlitz.net>
  Key-signing key   - 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7
  Annual key (2008) - 4B2A FD82 FC7D 9E38 38D9  179F 1C11 B877 E780 4B45

More information about the pycrypto mailing list