Bug#873815: marked as done (pyjwt: PyJWT vulneratibility for some keys)

Sun, 24 Sep 2017 22:25:04 -0700 

Your message dated Mon, 25 Sep 2017 05:20:00 +0000
with message-id <e1dwlog-000ini...@fasolo.debian.org>
and subject line Bug#873244: fixed in pyjwt 1.4.2-1.1
has caused the Debian Bug report #873244,
regarding pyjwt: PyJWT vulneratibility for some keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
873244: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873244
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: pyjwt
Version: 1.4.2-1
Severity: important
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu artful ubuntu-patch

Dear Maintainer,

Upstream already fixed that issue, here is the debdiff that was applied in
order to fix this.


  * SECURITY UPDATE: symmetric/asymmetric key confusion attacks
    - debian/patches/CVE-2017-11424.patch: Throw if key is an PKCS1
      PEM-encoded public key in jwt/algorithms.py, jwt/api_jws.py,
      jwt/api_jwt.py, tests/keys/testkey_pkcs1.pub.pem,
      tests/test_algorithms.py, tests/test_api_jws.py, tests/test_api_jwt.py.
    - CVE-2017-11424


Thanks for considering the patch.



-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru pyjwt-1.4.2/debian/files pyjwt-1.4.2/debian/files
--- pyjwt-1.4.2/debian/files	1969-12-31 21:00:00.000000000 -0300
+++ pyjwt-1.4.2/debian/files	2017-08-30 11:51:30.000000000 -0300
@@ -0,0 +1 @@
+pyjwt_1.4.2-1ubuntu1_source.buildinfo python optional
diff -Nru pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch
--- pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch	1969-12-31 21:00:00.000000000 -0300
+++ pyjwt-1.4.2/debian/patches/CVE-2017-11424.patch	2017-08-29 11:40:17.000000000 -0300
@@ -0,0 +1,139 @@
+From 1922f0972b065077404c0dafa0946f2132400a2b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Padilla?= <jpadi...@webapplicate.com>
+Date: Wed, 21 Jun 2017 15:49:41 -0400
+Subject: [PATCH 1/3] Throw if key is an PKCS1 PEM-encoded public key
+
+---
+ jwt/algorithms.py                |  1 +
+ jwt/api_jws.py                   |  9 +++++++++
+ jwt/api_jwt.py                   |  9 +++++++++
+ tests/keys/testkey_pkcs1.pub.pem |  5 +++++
+ tests/test_algorithms.py         |  7 +++++++
+ tests/test_api_jws.py            | 10 ++++++++++
+ tests/test_api_jwt.py            | 10 ++++++++++
+ 7 files changed, 51 insertions(+)
+ create mode 100644 tests/keys/testkey_pkcs1.pub.pem
+
+diff --git a/jwt/algorithms.py b/jwt/algorithms.py
+index 51e8f16..fd9c3ac 100644
+--- a/jwt/algorithms.py
++++ b/jwt/algorithms.py
+@@ -121,6 +121,7 @@ class HMACAlgorithm(Algorithm):
+         invalid_strings = [
+             b'-----BEGIN PUBLIC KEY-----',
+             b'-----BEGIN CERTIFICATE-----',
++            b'-----BEGIN RSA PUBLIC KEY-----',
+             b'ssh-rsa'
+         ]
+ 
+diff --git a/jwt/api_jws.py b/jwt/api_jws.py
+index 177f5ff..a91137c 100644
+--- a/jwt/api_jws.py
++++ b/jwt/api_jws.py
+@@ -107,6 +107,15 @@ class PyJWS(object):
+ 
+     def decode(self, jws, key='', verify=True, algorithms=None, options=None,
+                **kwargs):
++
++        if not algorithms:
++            warnings.warn(
++                'It is strongly recommended that you pass in a ' +
++                'value for the "algorithms" argument when calling decode(). ' +
++                'This argument will be mandatory in a future version.',
++                DeprecationWarning
++            )
++
+         payload, signing_input, header, signature = self._load(jws)
+ 
+         if verify:
+diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
+index 9703b8d..e0e6c25 100644
+--- a/jwt/api_jwt.py
++++ b/jwt/api_jwt.py
+@@ -58,6 +58,15 @@ class PyJWT(PyJWS):
+ 
+     def decode(self, jwt, key='', verify=True, algorithms=None, options=None,
+                **kwargs):
++
++        if not algorithms:
++            warnings.warn(
++                'It is strongly recommended that you pass in a ' +
++                'value for the "algorithms" argument when calling decode(). ' +
++                'This argument will be mandatory in a future version.',
++                DeprecationWarning
++            )
++
+         payload, signing_input, header, signature = self._load(jwt)
+ 
+         decoded = super(PyJWT, self).decode(jwt, key, verify, algorithms,
+diff --git a/tests/keys/testkey_pkcs1.pub.pem b/tests/keys/testkey_pkcs1.pub.pem
+new file mode 100644
+index 0000000..f690179
+--- /dev/null
++++ b/tests/keys/testkey_pkcs1.pub.pem
+@@ -0,0 +1,5 @@
++-----BEGIN RSA PUBLIC KEY-----
++MIGHAoGBAOV/0Vl/5VdHcYpnILYzBGWo5JQVzo9wBkbxzjAStcAnTwvv1ZJTMXs6
++fjz91f9hiMM4Z/5qNTE/EHlDWxVdj1pyRaQulZPUs0r9qJ02ogRRGLG3jjrzzbzF
++yj/pdNBwym0UJYC/Jmn/kMLwGiWI2nfa9vM5SovqZiAy2FD7eOtVAgED
++-----END RSA PUBLIC KEY-----
+diff --git a/tests/test_algorithms.py b/tests/test_algorithms.py
+index e3cf1d0..fea654c 100644
+--- a/tests/test_algorithms.py
++++ b/tests/test_algorithms.py
+@@ -84,6 +84,13 @@ class TestAlgorithms:
+             with open(key_path('testkey2_rsa.pub.pem'), 'r') as keyfile:
+                 algo.prepare_key(keyfile.read())
+ 
++    def test_hmac_should_throw_exception_if_key_is_pkcs1_pem_public(self):
++        algo = HMACAlgorithm(HMACAlgorithm.SHA256)
++
++        with pytest.raises(InvalidKeyError):
++            with open(key_path('testkey_pkcs1.pub.pem'), 'r') as keyfile:
++                algo.prepare_key(keyfile.read())
++
+     @pytest.mark.skipif(not has_crypto, reason='Not supported without cryptography library')
+     def test_rsa_should_parse_pem_public_key(self):
+         algo = RSAAlgorithm(RSAAlgorithm.SHA256)
+diff --git a/tests/test_api_jws.py b/tests/test_api_jws.py
+index c56ec4b..0c6854e 100644
+--- a/tests/test_api_jws.py
++++ b/tests/test_api_jws.py
+@@ -266,6 +266,16 @@ class TestJWS:
+ 
+         pytest.deprecated_call(jws.decode, example_jws, verify=False)
+ 
++    def test_decode_with_optional_algorithms(self, jws):
++        example_secret = 'secret'
++        example_jws = (
++            b'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.'
++            b'aGVsbG8gd29ybGQ.'
++            b'SIr03zM64awWRdPrAM_61QWsZchAtgDV3pphfHPPWkI'
++        )
++
++        pytest.deprecated_call(jws.decode, example_jws, key=example_secret)
++
+     def test_load_no_verification(self, jws, payload):
+         right_secret = 'foo'
+         jws_message = jws.encode(payload, right_secret)
+diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
+index 211f0df..62c4ef7 100644
+--- a/tests/test_api_jwt.py
++++ b/tests/test_api_jwt.py
+@@ -479,3 +479,13 @@ class TestJWT:
+                 secret,
+                 verify_expiration=True
+             )
++
++    def test_decode_with_optional_algorithms(self, jwt, payload):
++        secret = 'secret'
++        jwt_message = jwt.encode(payload, secret)
++
++        pytest.deprecated_call(
++            jwt.decode,
++            jwt_message,
++            secret
++        )
+-- 
+2.7.4
+
diff -Nru pyjwt-1.4.2/debian/patches/series pyjwt-1.4.2/debian/patches/series
--- pyjwt-1.4.2/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ pyjwt-1.4.2/debian/patches/series	2017-08-29 11:40:48.000000000 -0300
@@ -0,0 +1 @@
+CVE-2017-11424.patch

--- End Message ---
--- Begin Message --- 
Source: pyjwt
Source-Version: 1.4.2-1.1

We believe that the bug you reported is fixed in the latest version of
pyjwt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 873...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated pyjwt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 16 Sep 2017 14:49:38 +0200
Source: pyjwt
Binary: python-jwt python3-jwt
Architecture: source
Version: 1.4.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Modules Team 
<python-modules-t...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
 python-jwt - Python implementation of JSON Web Token
 python3-jwt - Python 3 implementation of JSON Web Token
Closes: 873244
Changes:
 pyjwt (1.4.2-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Throw if key is an PKCS1 PEM-encoded public key (CVE-2017-11424)
     (Closes: #873244)
Checksums-Sha1:
 fcbdd6c39569614d0eca7a4ff5fe2d71509be4dc 2625 pyjwt_1.4.2-1.1.dsc
 2a472ac2821d412947f4cc9c7aa0eeccedd332c9 4756 pyjwt_1.4.2-1.1.debian.tar.xz
 2b7a5c05339e5140438e4d732f0576a4b656fdbb 6798 pyjwt_1.4.2-1.1_source.buildinfo
Checksums-Sha256:
 d89dea9e19465178fbffb94c5054eacfc242da825769efaae12a7bebd216dd6c 2625 
pyjwt_1.4.2-1.1.dsc
 1aefc4545440e588652699fc06bf1dada43967b6f28e5fe2aec36f1d10bef793 4756 
pyjwt_1.4.2-1.1.debian.tar.xz
 5d395d97d2f657d36ef15ccf658179b88a0b0e1bc9cad33ab4dc1c3cecdd0e6d 6798 
pyjwt_1.4.2-1.1_source.buildinfo
Files:
 1c974b0263920eef9937800a7b8afc19 2625 python optional pyjwt_1.4.2-1.1.dsc
 0fe46c426d5c8ca71070da0665e76f7a 4756 python optional 
pyjwt_1.4.2-1.1.debian.tar.xz
 4536b23e70083436f0c2641f2377d7a8 6798 python optional 
pyjwt_1.4.2-1.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlm9I2RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ECJwQAIHpwvJjK0CxhgDKdbEbq8AUzbYgaGm8
szUK93vOpRNViGdqzI0U37KghpyQrKG/+XH/vwXekMGcszzaeFSilFrJPSyIXDto
nJhJDGLkysSm/X+Ywqp7uV2Xc7Ow26Acj8iRy5r+UrPOT3QsBxGksf6GtHVF+P9i
PhjYkyPNm4rNvgtocBYQ8X6cw/EjKJGtWM6O8w/w18bxzH3Y8uhcnEZlDYq5yixf
nxuHTTMqz1sWtIBk7UPAOErQ2YcgkpT4qGTyTPOCgo7lnXZf4/JidLP9R8HJWpDi
Ka18idd3cBr5oYsuRCT/ZMVzxZngRyA5Ac3VeIKz1g948/ncj6j+xHIV4nXZ1sj4
QlmzrpOLxahLwT3Fou1WjL68hBP82gCPXJgxpLCumqPDNYXRzI3AmgA/8o7e4Wjl
0ImZFc4oKb1CfC8Fq/B4p8B2tQS3mIpleyN+ZDPCbzhutDtHvlF4HLMaKycozb3z
uX14cNB3bGnleZ7B17TYRxXRkXzZ3d9UQtlsFml5AGdP+5EzZvVYiX21WeTbpmfm
kApmr2RTljw7euH7cCj34MHp9tRGLKkOBlXmrbyExBUQXMGGkHDBlYa0YJC2cDsA
AX5WAlRE5+uQTHlfgPNFSx00GdRLcOKuFCLKTSQkXNQADZL7APeEUje0xYGq2Yok
NL5hAuNDFPnZ
=oz8M
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to