Hi Ola, On 26/05/21 01:45 PM, Ola Lundqvist wrote: > Hi fellow LTS contributors > > I have checked this CVE and my conclusions are as follows. > The CVE actually cover five different problems. I guess CVEs should not > do that, but it did anyway. > > Quote from upstream: > > Two were vulnerabilities in v3.0 involving the new > RSA::SIGNATURE_RELAXED_PKCS1 mode (which doesn't exist in 2.0) > > Two were bugs in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1 > mode (which again, doesn't exist in 2.0) > > One was a bug in v1.0, v2.0 and v3.0. > > The bug refers to "We have also found incompatibility issue in > phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 signature > verification suffering from rejecting valid signatures whose encoded > message uses implicit hash algorithm's NULL parameter." > > My conclusion is that one bug can be fixed. But I do not think it is a > security problem. The problem is that some signatures fail valid > signatures, if they are encoded in a special way. > > What I have done is to mark the CVE as not-affected with a note about > this. > > Let me know if you think my analysis is correct. I've gone through those comments and fixes. Since valid signature failing bug in v1 and v2 is not a security issue. I think marking CVE-2021-30130 as not-affected is the way to go. Sorry for holding the package. --abhijith
Attachment:
signature.asc
Description: PGP signature