Control: tags 809980 + patch Control: tags 809980 + pending Dear maintainer,
I've prepared an NMU for python-rsa (versioned as 3.2.3-1.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru python-rsa-3.2.3/debian/changelog python-rsa-3.2.3/debian/changelog --- python-rsa-3.2.3/debian/changelog 2015-11-24 17:10:07.000000000 +0100 +++ python-rsa-3.2.3/debian/changelog 2016-02-07 08:16:11.000000000 +0100 @@ -1,3 +1,11 @@ +python-rsa (3.2.3-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2016-1494: Possible signature forgery using Bleichenbacher'06 attack + (Closes: #809980) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 07 Feb 2016 07:29:08 +0100 + python-rsa (3.2.3-1) unstable; urgency=medium [ Dariusz Dwornikowski ] diff -Nru python-rsa-3.2.3/debian/patches/CVE-2016-1494.patch python-rsa-3.2.3/debian/patches/CVE-2016-1494.patch --- python-rsa-3.2.3/debian/patches/CVE-2016-1494.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-rsa-3.2.3/debian/patches/CVE-2016-1494.patch 2016-02-07 08:16:11.000000000 +0100 @@ -0,0 +1,107 @@ +Description: Fix BB'06 attack in verify() by switching from parsing to comparison (CVE-2016-1494) +Origin: upstream, https://github.com/sybrenstuvel/python-rsa/commit/ab5d21c3b554f926d51ff3ad9c794bcf32e95b3c +Bug: https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attack-in-verify-by/diff +Bug-Debian: https://bugs.debian.org/809980 +Forwarded: not-needed +Author: Filippo Valsorda <h...@filippo.io> +Reviewed-by: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2016-02-07 +Applied-Upstream: 3.3 + +diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py +--- a/rsa/pkcs1.py ++++ b/rsa/pkcs1.py +@@ -22,10 +22,10 @@ + At least 8 bytes of random padding is used when encrypting a message. This makes + these methods much more secure than the ones in the ``rsa`` module. + +-WARNING: this module leaks information when decryption or verification fails. +-The exceptions that are raised contain the Python traceback information, which +-can be used to deduce where in the process the failure occurred. DO NOT PASS +-SUCH INFORMATION to your users. ++WARNING: this module leaks information when decryption fails. The exceptions ++that are raised contain the Python traceback information, which can be used to ++deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION ++to your users. + ''' + + import hashlib +@@ -288,37 +288,23 @@ + :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message. + :raise VerificationError: when the signature doesn't match the message. + +- .. warning:: +- +- Never display the stack trace of a +- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in +- the code the exception occurred, and thus leaks information about the +- key. It's only a tiny bit of information, but every bit makes cracking +- the keys easier. +- + ''' + +- blocksize = common.byte_size(pub_key.n) ++ keylength = common.byte_size(pub_key.n) + encrypted = transform.bytes2int(signature) + decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n) +- clearsig = transform.int2bytes(decrypted, blocksize) +- +- # If we can't find the signature marker, verification failed. +- if clearsig[0:2] != b('\x00\x01'): +- raise VerificationError('Verification failed') ++ clearsig = transform.int2bytes(decrypted, keylength) + +- # Find the 00 separator between the padding and the payload +- try: +- sep_idx = clearsig.index(b('\x00'), 2) +- except ValueError: +- raise VerificationError('Verification failed') +- +- # Get the hash and the hash method +- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:]) ++ # Get the hash method ++ method_name = _find_method_hash(clearsig) + message_hash = _hash(message, method_name) + +- # Compare the real hash to the hash in the signature +- if message_hash != signature_hash: ++ # Reconstruct the expected padded hash ++ cleartext = HASH_ASN1[method_name] + message_hash ++ expected = _pad_for_signing(cleartext, keylength) ++ ++ # Compare with the signed one ++ if expected != clearsig: + raise VerificationError('Verification failed') + + return True +@@ -351,24 +337,20 @@ + return hasher.digest() + + +-def _find_method_hash(method_hash): +- '''Finds the hash method and the hash itself. ++def _find_method_hash(clearsig): ++ '''Finds the hash method. + +- :param method_hash: ASN1 code for the hash method concatenated with the +- hash itself. ++ :param clearsig: full padded ASN1 and hash. + +- :return: tuple (method, hash) where ``method`` is the used hash method, and +- ``hash`` is the hash itself. ++ :return: the used hash method. + + :raise VerificationFailed: when the hash method cannot be found + + ''' + + for (hashname, asn1code) in HASH_ASN1.items(): +- if not method_hash.startswith(asn1code): +- continue +- +- return (hashname, method_hash[len(asn1code):]) ++ if asn1code in clearsig: ++ return hashname + + raise VerificationError('Verification failed') + diff -Nru python-rsa-3.2.3/debian/patches/series python-rsa-3.2.3/debian/patches/series --- python-rsa-3.2.3/debian/patches/series 2015-11-24 17:10:07.000000000 +0100 +++ python-rsa-3.2.3/debian/patches/series 2016-02-07 07:13:41.000000000 +0100 @@ -1 +1,2 @@ fix_tests.patch +CVE-2016-1494.patch