Hi Ola,
On 26/05/21 01:45 PM, Ola Lundqvist wrote:
>Hi fellow LTS contributors
>
>I have checked this CVE and my conclusions are as follows.
>The CVE actually cover five different problems. I guess CVEs should not
>do that, but it did anyway.
>
>Quote from upstream:
>
>Two were vulnerabilities in v3.0 involving the new
>RSA::SIGNATURE_RELAXED_PKCS1 mode (which doesn't exist in 2.0)
>
>Two were bugs in v3.0 involving the new RSA::SIGNATURE_RELAXED_PKCS1
>mode (which again, doesn't exist in 2.0)
>
>One was a bug in v1.0, v2.0 and v3.0.
>
>The bug refers to "We have also found incompatibility issue in
>phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 signature
>verification suffering from rejecting valid signatures whose encoded
>message uses implicit hash algorithm's NULL parameter."
>
>My conclusion is that one bug can be fixed. But I do not think it is a
>security problem. The problem is that some signatures fail valid
>signatures, if they are encoded in a special way.
>
>What I have done is to mark the CVE as not-affected with a note about
>this.
>
>Let me know if you think my analysis is correct.
I've gone through those comments and fixes. Since valid signature
failing bug in v1 and v2 is not a security issue. I think marking
CVE-2021-30130 as not-affected is the way to go. Sorry for holding the
package.
--abhijith
signature.asc
Description: PGP signature
