Hi fellow LTS contributors
I have checked this CVE and my conclusions are as follows.
The CVE actually cover five different problems. I guess CVEs should not do that, but it did anyway.
Quote from upstream:
Two were vulnerabilities in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 mode (which doesn't exist in 2.0)
Two were bugs in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 mode (which again, doesn't exist in 2.0)
One was a bug in v1.0, v2.0 and v3.0.
The bug refers to "We have also found incompatibility issue in phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 signature verification suffering from rejecting valid signatures whose encoded message uses implicit hash algorithm's NULL parameter."
My conclusion is that one bug can be fixed. But I do not think it is a security problem. The problem is that some signatures fail valid signatures, if they are encoded in a special way.
What I have done is to mark the CVE as not-affected with a note about this.
Let me know if you think my analysis is correct.
I'm sending this to you all since I'm not 100% sure how to treat it.
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
---------------------------------------------------------------