python-cryptography: denial of service [LWN.net]

Package(s):

python-cryptography

CVE #(s):

Created:

November 13, 2015

Updated:

November 30, 2015

Description:

From the Red Hat bug report:

The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse.

Alerts:

Mageia	MGASA-2015-0460	python-cryptography	2015-11-28
Fedora	FEDORA-2015-ac07ff875b	python-cryptography-vectors	2015-11-12
Fedora	FEDORA-2015-ac07ff875b	python-cryptography	2015-11-12

to post comments

python-cryptography: denial of service

Posted Nov 19, 2015 10:54 UTC (Thu) by epa (subscriber, #39769) [Link]

If the assert function or macro in programming languages were instead called can_never_happen (with flipped logic) then its intended use might be clearer to all programmers. The point of an assertion is that you the programmer believe it can never be false. If an assertion fails then by definition the program has a bug, and if you add assertions to check conditions which can in practice be false then you are inserting a bug in the program.

Possibly, compilers should enable assertion checking by default at all optimization levels, with only some more verbose expert mode or assert_when_not_optimized macro being the way to get a check that's compiled out when optimizing.