--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package python-rsa/3.1.4-1+deb8u1
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Tue, 22 Mar 2016 18:21:01 +0100
- Message-id: <145866726110.4817.13351717645182047369.reportbug@lorien.valinor.li>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi stable release managers,
python-rsa in jessie is as well vulnerable to CVE-2016-1494 (Signature
forgery issue using Bleichenbacher'06 attack), we think the issue does
not warrant a DSA on its own.
It is #809980 and fixed in unstable already.
+python-rsa (3.1.4-1+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-1494: Possible signature forgery using Bleichenbacher'06 attack
+ (Closes: #809980)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 22 Mar 2016 17:33:03 +0100
Attached is the proposed debdiff. Can you accept it for the next
jessie point release?
Regards,
Salvatore
diff -Nru python-rsa-3.1.4/debian/changelog python-rsa-3.1.4/debian/changelog
--- python-rsa-3.1.4/debian/changelog 2014-06-22 10:21:48.000000000 +0200
+++ python-rsa-3.1.4/debian/changelog 2016-03-22 17:37:01.000000000 +0100
@@ -1,3 +1,11 @@
+python-rsa (3.1.4-1+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2016-1494: Possible signature forgery using Bleichenbacher'06 attack
+ (Closes: #809980)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Tue, 22 Mar 2016 17:33:03 +0100
+
python-rsa (3.1.4-1) unstable; urgency=medium
* New upstream release
diff -Nru python-rsa-3.1.4/debian/patches/CVE-2016-1494.patch python-rsa-3.1.4/debian/patches/CVE-2016-1494.patch
--- python-rsa-3.1.4/debian/patches/CVE-2016-1494.patch 1970-01-01 01:00:00.000000000 +0100
+++ python-rsa-3.1.4/debian/patches/CVE-2016-1494.patch 2016-03-22 17:37:01.000000000 +0100
@@ -0,0 +1,107 @@
+Description: Fix BB'06 attack in verify() by switching from parsing to comparison (CVE-2016-1494)
+Origin: upstream, https://github.com/sybrenstuvel/python-rsa/commit/ab5d21c3b554f926d51ff3ad9c794bcf32e95b3c
+Bug: https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff
+Bug-Debian: https://bugs.debian.org/809980
+Forwarded: not-needed
+Author: Filippo Valsorda <hi@filippo.io>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-02-07
+Applied-Upstream: 3.3
+
+diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
+--- a/rsa/pkcs1.py
++++ b/rsa/pkcs1.py
+@@ -22,10 +22,10 @@
+ At least 8 bytes of random padding is used when encrypting a message. This makes
+ these methods much more secure than the ones in the ``rsa`` module.
+
+-WARNING: this module leaks information when decryption or verification fails.
+-The exceptions that are raised contain the Python traceback information, which
+-can be used to deduce where in the process the failure occurred. DO NOT PASS
+-SUCH INFORMATION to your users.
++WARNING: this module leaks information when decryption fails. The exceptions
++that are raised contain the Python traceback information, which can be used to
++deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION
++to your users.
+ '''
+
+ import hashlib
+@@ -288,37 +288,23 @@
+ :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.
+ :raise VerificationError: when the signature doesn't match the message.
+
+- .. warning::
+-
+- Never display the stack trace of a
+- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
+- the code the exception occurred, and thus leaks information about the
+- key. It's only a tiny bit of information, but every bit makes cracking
+- the keys easier.
+-
+ '''
+
+- blocksize = common.byte_size(pub_key.n)
++ keylength = common.byte_size(pub_key.n)
+ encrypted = transform.bytes2int(signature)
+ decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
+- clearsig = transform.int2bytes(decrypted, blocksize)
+-
+- # If we can't find the signature marker, verification failed.
+- if clearsig[0:2] != b('\x00\x01'):
+- raise VerificationError('Verification failed')
++ clearsig = transform.int2bytes(decrypted, keylength)
+
+- # Find the 00 separator between the padding and the payload
+- try:
+- sep_idx = clearsig.index(b('\x00'), 2)
+- except ValueError:
+- raise VerificationError('Verification failed')
+-
+- # Get the hash and the hash method
+- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
++ # Get the hash method
++ method_name = _find_method_hash(clearsig)
+ message_hash = _hash(message, method_name)
+
+- # Compare the real hash to the hash in the signature
+- if message_hash != signature_hash:
++ # Reconstruct the expected padded hash
++ cleartext = HASH_ASN1[method_name] + message_hash
++ expected = _pad_for_signing(cleartext, keylength)
++
++ # Compare with the signed one
++ if expected != clearsig:
+ raise VerificationError('Verification failed')
+
+ return True
+@@ -351,24 +337,20 @@
+ return hasher.digest()
+
+
+-def _find_method_hash(method_hash):
+- '''Finds the hash method and the hash itself.
++def _find_method_hash(clearsig):
++ '''Finds the hash method.
+
+- :param method_hash: ASN1 code for the hash method concatenated with the
+- hash itself.
++ :param clearsig: full padded ASN1 and hash.
+
+- :return: tuple (method, hash) where ``method`` is the used hash method, and
+- ``hash`` is the hash itself.
++ :return: the used hash method.
+
+ :raise VerificationFailed: when the hash method cannot be found
+
+ '''
+
+ for (hashname, asn1code) in HASH_ASN1.items():
+- if not method_hash.startswith(asn1code):
+- continue
+-
+- return (hashname, method_hash[len(asn1code):])
++ if asn1code in clearsig:
++ return hashname
+
+ raise VerificationError('Verification failed')
+
diff -Nru python-rsa-3.1.4/debian/patches/series python-rsa-3.1.4/debian/patches/series
--- python-rsa-3.1.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ python-rsa-3.1.4/debian/patches/series 2016-03-22 17:37:01.000000000 +0100
@@ -0,0 +1 @@
+CVE-2016-1494.patch
--- End Message ---