Bug#1035475: bullseye-pu: package dkimpy/1.0.5-1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
This is a new upstream release that we targetted to address bugs that
would generally be suitable for Debian post-release updates.
[ Reason ]
Fix bugs identified below.
Several significant bug fixes have been done that together merited an
upstream release of the older series (1.0). While none of these are
known regressions from Buster, some of them are significant, in
particular:
The base64 validation regexp bug causes a 1-2% DKIM signature
verification failure rate, which adds up.
The ed25519 key file permissions fix has potential security implications
for anyone generating private keys on insecure systems. This is low
probability because people shouldn't do this, but no doubt someone does.
[ Impact ]
Bugs aren't fixed. Primary impact is 1-2% of messages that should pass
DKIM verification will be evaluated as failures.
[ Tests ]
The dkimpy package has an autopkgtest which runs the upstream test suite
(and passes). I have this update running in production locally.
[ Risks ]
Risk is low. The riskiest change, the base64 validation regexp fix has
been released in the dkimpy 1.1 series for a few months with no issues
reported.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
All upstream changes are described in the upstream changelog:
2023-04-30 Version 1.0.6
- Provide more specific error message when ed25519 private key is invalid
(See LP 1901569 for background)
- Correct base64 validation regexp so that valid signature with == split
between two lines are not incorrectly evaluated as invalid (LP:
#2002295) - Thanks to <https://launchpad.net/~obadz> for the report and
the proposed fix
- Fix traceback when attempting to verify an unsigned message using
async verify (Thanks to Nikita Sychev for the report and a suggested
fix) (LP: #2008723)
- Verify correct AMS header is used for ARC seal verification
- Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how
RSA key errors are treated (LP: #2018021)
- Create ed25519 key files with secure permissions to avoid risk of
insecure chmode call/race condition (Thanks to Hanno Böck for the report
and the suggested fix) (LP: #2017430)
The only packaging changes are to adjust for bullseye specifics
[ Other info ]
These bug fixes were included in unstable in version 1.1.0-1, 1.1.1-1,
1.1.2-1, and 1.1.3-1.
diff -Nru dkimpy-1.0.5/ChangeLog dkimpy-1.0.6/ChangeLog
--- dkimpy-1.0.5/ChangeLog 2020-08-08 22:34:58.000000000 -0400
+++ dkimpy-1.0.6/ChangeLog 2023-04-30 10:09:05.000000000 -0400
@@ -1,3 +1,20 @@
+2023-04-30 Version 1.0.6
+ - Provide more specific error message when ed25519 private key is invalid
+ (See LP 1901569 for background)
+ - Correct base64 validation regexp so that valid signature with == split
+ between two lines are not incorrectly evaluated as invalid (LP:
+ #2002295) - Thanks to <https://launchpad.net/~obadz> for the report and
+ the proposed fix
+ - Fix traceback when attempting to verify an unsigned message using
+ async verify (Thanks to Nikita Sychev for the report and a suggested
+ fix) (LP: #2008723)
+ - Verify correct AMS header is used for ARC seal verification
+ - Catch nacl.exceptions.ValueError and raise KeyFormatError, similar to how
+ RSA key errors are treated (LP: #2018021)
+ - Create ed25519 key files with secure permissions to avoid risk of
+ insecure chmode call/race condition (Thanks to Hanno Böck for the report
+ and the suggested fix) (LP: #2017430)
+
2020-08-08 Version 1.0.5
- Update dnsplug for DNS Python (dns) 2.0 compatibility (LP: #1888583)
- Fix @param srv_id typos (LP: #1890532)
diff -Nru dkimpy-1.0.5/debian/changelog dkimpy-1.0.6/debian/changelog
--- dkimpy-1.0.5/debian/changelog 2020-08-08 23:05:48.000000000 -0400
+++ dkimpy-1.0.6/debian/changelog 2023-05-03 12:55:36.000000000 -0400
@@ -1,3 +1,11 @@
+dkimpy (1.0.6-0+deb11u1) bullseye; urgency=medium
+
+ * Update d/watch to look for 1.0 updates for bullseye
+ * Update d/gbp.conf for bullseye
+ * New upstream release
+
+ -- Scott Kitterman <scott@kitterman.com> Wed, 03 May 2023 12:55:36 -0400
+
dkimpy (1.0.5-1) unstable; urgency=medium
* Bump debhelper compat to 12
diff -Nru dkimpy-1.0.5/debian/gbp.conf dkimpy-1.0.6/debian/gbp.conf
--- dkimpy-1.0.5/debian/gbp.conf 2020-04-06 08:25:05.000000000 -0400
+++ dkimpy-1.0.6/debian/gbp.conf 2023-05-03 12:53:03.000000000 -0400
@@ -1,2 +1,3 @@
[DEFAULT]
-debian-branch=debian/master
+debian-branch=debian/bullseye
+upstream-branch=upstream-bullseye
diff -Nru dkimpy-1.0.5/debian/watch dkimpy-1.0.6/debian/watch
--- dkimpy-1.0.5/debian/watch 2020-04-06 08:25:05.000000000 -0400
+++ dkimpy-1.0.6/debian/watch 2023-05-03 12:52:31.000000000 -0400
@@ -1,4 +1,4 @@
version=3
opts="pgpsigurlmangle=s/$/.asc/" https://launchpad.net/dkimpy/+download \
-https://launchpad.net/dkimpy/.*/.*/dkimpy-(.*)\.tar\.gz
+https://launchpad.net/dkimpy/.*/.*/dkimpy-(1\.0.*)\.tar\.gz
diff -Nru dkimpy-1.0.5/dkim/asyncsupport.py dkimpy-1.0.6/dkim/asyncsupport.py
--- dkimpy-1.0.5/dkim/asyncsupport.py 2020-04-06 00:27:45.000000000 -0400
+++ dkimpy-1.0.6/dkim/asyncsupport.py 2023-04-30 09:58:34.000000000 -0400
@@ -94,8 +94,11 @@
async def verify(self,idx=0,dnsfunc=get_txt_async):
- sig, include_headers, sigheaders = self.verify_headerprep(idx=0)
- return await self.verify_sig(sig, include_headers, sigheaders[idx], dnsfunc)
+ prep = self.verify_headerprep(idx)
+ if prep:
+ sig, include_headers, sigheaders = prep
+ return await self.verify_sig(sig, include_headers, sigheaders[idx], dnsfunc)
+ return False # No signature
async def verify_async(message, logger=None, dnsfunc=None, minkey=1024,
diff -Nru dkimpy-1.0.5/dkim/dknewkey.py dkimpy-1.0.6/dkim/dknewkey.py
--- dkimpy-1.0.5/dkim/dknewkey.py 2020-04-06 00:06:13.000000000 -0400
+++ dkimpy-1.0.6/dkim/dknewkey.py 2023-04-30 10:05:09.000000000 -0400
@@ -61,10 +61,12 @@
skg = nacl.signing.SigningKey(seed=os.urandom(32))
eprint('generating ' + private_key_file)
priv_key = skg.generate()
+ if os.name == 'posix':
+ old_umask = os.umask(0o077)
with open(private_key_file, 'w') as pkf:
pkf.write(priv_key.encode(encoder=nacl.encoding.Base64Encoder).decode("utf-8"))
if os.name == 'posix':
- os.chmod(private_key_file, 0o600)
+ os.umask(old_umask)
return(priv_key)
def ExtractRSADnsPublicKey(private_key_file, dns_file):
diff -Nru dkimpy-1.0.5/dkim/__init__.py dkimpy-1.0.6/dkim/__init__.py
--- dkimpy-1.0.5/dkim/__init__.py 2020-08-08 17:05:10.000000000 -0400
+++ dkimpy-1.0.6/dkim/__init__.py 2023-04-30 10:03:31.000000000 -0400
@@ -272,13 +272,13 @@
raise ValidationError("unknown signature algorithm: %s" % sig[b'a'])
if b'b' in sig:
- if re.match(br"[\s0-9A-Za-z+/]+=*$", sig[b'b']) is None:
+ if re.match(br"[\s0-9A-Za-z+/]+[\s=]*$", sig[b'b']) is None:
raise ValidationError("b= value is not valid base64 (%s)" % sig[b'b'])
if len(re.sub(br"\s+", b"", sig[b'b'])) % 4 != 0:
raise ValidationError("b= value is not valid base64 (%s)" % sig[b'b'])
if b'bh' in sig:
- if re.match(br"[\s0-9A-Za-z+/]+=*$", sig[b'bh']) is None:
+ if re.match(br"[\s0-9A-Za-z+/]+[\s=]*$", sig[b'b']) is None:
raise ValidationError("bh= value is not valid base64 (%s)" % sig[b'bh'])
if len(re.sub(br"\s+", b"", sig[b'bh'])) % 4 != 0:
raise ValidationError("bh= value is not valid base64 (%s)" % sig[b'bh'])
@@ -446,6 +446,8 @@
pk = nacl.signing.VerifyKey(pub[b'p'], encoder=nacl.encoding.Base64Encoder)
except NameError:
raise NaClNotFoundError('pynacl module required for ed25519 signing, see README.md')
+ except nacl.exceptions.ValueError as e:
+ raise KeyFormatError("could not parse ed25519 public key (%s): %s" % (pub[b'p'],e))
keysize = 256
ktag = b'ed25519'
except KeyError:
@@ -455,9 +457,9 @@
pk = parse_public_key(base64.b64decode(pub[b'p']))
keysize = bitsize(pk['modulus'])
except KeyError:
- raise KeyFormatError("incomplete public key: %s" % s)
+ raise KeyFormatError("incomplete RSA public key: %s" % s)
except (TypeError,UnparsableKeyError) as e:
- raise KeyFormatError("could not parse public key (%s): %s" % (pub[b'p'],e))
+ raise KeyFormatError("could not parse RSA public key (%s): %s" % (pub[b'p'],e))
ktag = b'rsa'
if pub[b'k'] != b'rsa' and pub[b'k'] != b'ed25519':
raise KeyFormatError('unknown algorithm in k= tag: {0}'.format(pub[b'k']))
@@ -832,6 +834,8 @@
pk = nacl.signing.SigningKey(privkey, encoder=nacl.encoding.Base64Encoder)
except NameError:
raise NaClNotFoundError('pynacl module required for ed25519 signing, see README.md')
+ except nacl.exceptions.ValueError:
+ raise KeyFormatError('invalid ed25519 private key or format')
if identity is not None and not identity.endswith(domain):
raise ParameterError("identity must end with domain")
@@ -1259,7 +1263,9 @@
# we can't use the AMS provided above, as it's already been canonicalized relaxed
# for use in validating the AS. However the AMS is included in the AMS itself,
# and this can use simple canonicalization
- raw_ams_header = [(x, y) for (x, y) in self.headers if x.lower() == b'arc-message-signature'][0]
+ raw_ams_header = [
+ (x, y) for (x, y) in self.headers if x.lower() == b'arc-message-signature' and b" i="+sig[b'i']+b";" in y.lower()
+ ][0]
# Only relaxed canonicalization used by ARC
if b'c' not in sig:
diff -Nru dkimpy-1.0.5/dkimpy.egg-info/PKG-INFO dkimpy-1.0.6/dkimpy.egg-info/PKG-INFO
--- dkimpy-1.0.5/dkimpy.egg-info/PKG-INFO 2020-08-08 22:35:02.000000000 -0400
+++ dkimpy-1.0.6/dkimpy.egg-info/PKG-INFO 2023-04-30 10:09:23.000000000 -0400
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: dkimpy
-Version: 1.0.5
+Version: 1.0.6
Summary: DKIM (DomainKeys Identified Mail), ARC (Authenticated Receive Chain), and TLSRPT (TLS Report) email signing and verification
Home-page: https://launchpad.net/dkimpy
Author: Scott Kitterman
@@ -21,7 +21,7 @@
# VERSION
- This is dkimpy 1.0.5.
+ This is dkimpy 1.0.6.
# REQUIREMENTS
@@ -160,7 +160,10 @@
dknewkey is s script that produces private and public key pairs suitable
for use with DKIM. Note that the private key file format used for ed25519 is
- not standardized (there is no standard) and is unique to dkimpy.
+ not standardized (there is no standard) and is unique to dkimpy. Creation of
+ keys should be done in a secure environment. If an unauthorized entity gains
+ access to current private keys they can generate signed email that will pass
+ DKIM checkes and will be difficult to repudiate.
dkimsign is a filter that reads an RFC822 message on standard input, and
writes the same message on standard output with a DKIM-Signature line
diff -Nru dkimpy-1.0.5/dkimpy.egg-info/requires.txt dkimpy-1.0.6/dkimpy.egg-info/requires.txt
--- dkimpy-1.0.5/dkimpy.egg-info/requires.txt 2020-08-08 22:35:02.000000000 -0400
+++ dkimpy-1.0.6/dkimpy.egg-info/requires.txt 2023-04-30 10:09:23.000000000 -0400
@@ -1,4 +1,4 @@
-dnspython>=1.16.0
+Py3DNS
[ARC]
authres
diff -Nru dkimpy-1.0.5/PKG-INFO dkimpy-1.0.6/PKG-INFO
--- dkimpy-1.0.5/PKG-INFO 2020-08-08 22:35:02.000000000 -0400
+++ dkimpy-1.0.6/PKG-INFO 2023-04-30 10:09:24.056335000 -0400
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: dkimpy
-Version: 1.0.5
+Version: 1.0.6
Summary: DKIM (DomainKeys Identified Mail), ARC (Authenticated Receive Chain), and TLSRPT (TLS Report) email signing and verification
Home-page: https://launchpad.net/dkimpy
Author: Scott Kitterman
@@ -21,7 +21,7 @@
# VERSION
- This is dkimpy 1.0.5.
+ This is dkimpy 1.0.6.
# REQUIREMENTS
@@ -160,7 +160,10 @@
dknewkey is s script that produces private and public key pairs suitable
for use with DKIM. Note that the private key file format used for ed25519 is
- not standardized (there is no standard) and is unique to dkimpy.
+ not standardized (there is no standard) and is unique to dkimpy. Creation of
+ keys should be done in a secure environment. If an unauthorized entity gains
+ access to current private keys they can generate signed email that will pass
+ DKIM checkes and will be difficult to repudiate.
dkimsign is a filter that reads an RFC822 message on standard input, and
writes the same message on standard output with a DKIM-Signature line
diff -Nru dkimpy-1.0.5/README.md dkimpy-1.0.6/README.md
--- dkimpy-1.0.5/README.md 2020-08-08 17:04:57.000000000 -0400
+++ dkimpy-1.0.6/README.md 2023-04-30 10:07:38.000000000 -0400
@@ -13,7 +13,7 @@
# VERSION
-This is dkimpy 1.0.5.
+This is dkimpy 1.0.6.
# REQUIREMENTS
@@ -152,7 +152,10 @@
dknewkey is s script that produces private and public key pairs suitable
for use with DKIM. Note that the private key file format used for ed25519 is
-not standardized (there is no standard) and is unique to dkimpy.
+not standardized (there is no standard) and is unique to dkimpy. Creation of
+keys should be done in a secure environment. If an unauthorized entity gains
+access to current private keys they can generate signed email that will pass
+DKIM checkes and will be difficult to repudiate.
dkimsign is a filter that reads an RFC822 message on standard input, and
writes the same message on standard output with a DKIM-Signature line
diff -Nru dkimpy-1.0.5/setup.py dkimpy-1.0.6/setup.py
--- dkimpy-1.0.5/setup.py 2020-08-08 17:04:57.000000000 -0400
+++ dkimpy-1.0.6/setup.py 2023-04-30 09:50:16.000000000 -0400
@@ -25,7 +25,7 @@
import os
import sys
-version = "1.0.5"
+version = "1.0.6"
kw = {} # Work-around for lack of 'or' requires in setuptools.
try:
Reply to: