From e4af9cf961c70bb4a96eaafd995d0ff2c264cb8e Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Thu, 24 Aug 2017 13:56:32 +0800
Subject: python-pycrypto: Security fix CVE-2013-7459

CVE-2013-7459: Heap-based buffer overflow in the ALGnew function in
block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows
remote attackers to execute arbitrary code as demonstrated by a crafted
iv parameter to cryptmsg.py.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2013-7459

Patch from:
https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
---
 meta-python/recipes-devtools/python/python-pycrypto_2.6.1.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'meta-python/recipes-devtools/python/python-pycrypto_2.6.1.bb')

diff --git a/meta-python/recipes-devtools/python/python-pycrypto_2.6.1.bb b/meta-python/recipes-devtools/python/python-pycrypto_2.6.1.bb
index 06a0cc4444..919f91ecb1 100644
--- a/meta-python/recipes-devtools/python/python-pycrypto_2.6.1.bb
+++ b/meta-python/recipes-devtools/python/python-pycrypto_2.6.1.bb
@@ -1,7 +1,9 @@
 inherit distutils
 require python-pycrypto.inc
 
-SRC_URI += "file://cross-compiling.patch"
+SRC_URI += "file://cross-compiling.patch \
+            file://CVE-2013-7459.patch \
+           "
 
 # We explicitly call distutils_do_install, since we want it to run, but
 # *don't* want the autotools install to run, since this package doesn't
-- 
cgit v1.2.3-54-g00ecf