* [gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/, dev-python/rsa/files/
@ 2016-01-07 8:56 Justin Lecher
0 siblings, 0 replies; 2+ messages in thread
From: Justin Lecher @ 2016-01-07 8:56 UTC (permalink / raw
To: gentoo-commits
commit: 180d405a41b277428974932c8b439048fe05ac36
Author: Justin Lecher <jlec <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 7 08:56:09 2016 +0000
Commit: Justin Lecher <jlec <AT> gentoo <DOT> org>
CommitDate: Thu Jan 7 08:56:19 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=180d405a
dev-python/rsa: Backport patch for CVS-2016-1494
Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=570990
Package-Manager: portage-2.2.26
Signed-off-by: Justin Lecher <jlec <AT> gentoo.org>
dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch | 104 +++++++++++++++++++++
dev-python/rsa/rsa-3.2.3-r1.ebuild | 38 ++++++++
2 files changed, 142 insertions(+)
diff --git a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch
new file mode 100644
index 0000000..bfcfc33
--- /dev/null
+++ b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch
@@ -0,0 +1,104 @@
+# HG changeset patch
+# User Filippo Valsorda <hi@filippo.io>
+# Date 1450226563 0
+# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2
+# Parent 2baab06c8b867b01ec82b02118d4872a931a0437
+Fix BB'06 attack in verify() by switching from parsing to comparison
+
+diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
+--- a/rsa/pkcs1.py
++++ b/rsa/pkcs1.py
+@@ -22,10 +22,10 @@
+ At least 8 bytes of random padding is used when encrypting a message. This makes
+ these methods much more secure than the ones in the ``rsa`` module.
+
+-WARNING: this module leaks information when decryption or verification fails.
+-The exceptions that are raised contain the Python traceback information, which
+-can be used to deduce where in the process the failure occurred. DO NOT PASS
+-SUCH INFORMATION to your users.
++WARNING: this module leaks information when decryption fails. The exceptions
++that are raised contain the Python traceback information, which can be used to
++deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION
++to your users.
+ '''
+
+ import hashlib
+@@ -288,37 +288,23 @@
+ :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.
+ :raise VerificationError: when the signature doesn't match the message.
+
+- .. warning::
+-
+- Never display the stack trace of a
+- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
+- the code the exception occurred, and thus leaks information about the
+- key. It's only a tiny bit of information, but every bit makes cracking
+- the keys easier.
+-
+ '''
+
+- blocksize = common.byte_size(pub_key.n)
++ keylength = common.byte_size(pub_key.n)
+ encrypted = transform.bytes2int(signature)
+ decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
+- clearsig = transform.int2bytes(decrypted, blocksize)
+-
+- # If we can't find the signature marker, verification failed.
+- if clearsig[0:2] != b('\x00\x01'):
+- raise VerificationError('Verification failed')
++ clearsig = transform.int2bytes(decrypted, keylength)
+
+- # Find the 00 separator between the padding and the payload
+- try:
+- sep_idx = clearsig.index(b('\x00'), 2)
+- except ValueError:
+- raise VerificationError('Verification failed')
+-
+- # Get the hash and the hash method
+- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
++ # Get the hash method
++ method_name = _find_method_hash(clearsig)
+ message_hash = _hash(message, method_name)
+
+- # Compare the real hash to the hash in the signature
+- if message_hash != signature_hash:
++ # Reconstruct the expected padded hash
++ cleartext = HASH_ASN1[method_name] + message_hash
++ expected = _pad_for_signing(cleartext, keylength)
++
++ # Compare with the signed one
++ if expected != clearsig:
+ raise VerificationError('Verification failed')
+
+ return True
+@@ -351,24 +337,20 @@
+ return hasher.digest()
+
+
+-def _find_method_hash(method_hash):
+- '''Finds the hash method and the hash itself.
++def _find_method_hash(clearsig):
++ '''Finds the hash method.
+
+- :param method_hash: ASN1 code for the hash method concatenated with the
+- hash itself.
++ :param clearsig: full padded ASN1 and hash.
+
+- :return: tuple (method, hash) where ``method`` is the used hash method, and
+- ``hash`` is the hash itself.
++ :return: the used hash method.
+
+ :raise VerificationFailed: when the hash method cannot be found
+
+ '''
+
+ for (hashname, asn1code) in HASH_ASN1.items():
+- if not method_hash.startswith(asn1code):
+- continue
+-
+- return (hashname, method_hash[len(asn1code):])
++ if asn1code in clearsig:
++ return hashname
+
+ raise VerificationError('Verification failed')
+
diff --git a/dev-python/rsa/rsa-3.2.3-r1.ebuild b/dev-python/rsa/rsa-3.2.3-r1.ebuild
new file mode 100644
index 0000000..42ff4a0
--- /dev/null
+++ b/dev-python/rsa/rsa-3.2.3-r1.ebuild
@@ -0,0 +1,38 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 python3_{3,4,5} pypy )
+
+inherit distutils-r1
+
+DESCRIPTION="Pure-Python RSA implementation"
+HOMEPAGE="http://stuvel.eu/rsa https://pypi.python.org/pypi/rsa"
+SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="test"
+
+RDEPEND="
+ >=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}]
+ dev-python/traceback2[${PYTHON_USEDEP}]
+ "
+DEPEND="${RDEPEND}
+ >=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}]
+ test? (
+ dev-python/nose[${PYTHON_USEDEP}]
+ dev-python/unittest2[${PYTHON_USEDEP}]
+ )
+ "
+
+PATCHES=(
+ "${FILESDIR}"/${P}-CVE-2016-1494.patch
+)
+
+python_test() {
+ nosetests --verbose || die
+}
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/, dev-python/rsa/files/
@ 2020-03-29 7:31 Michał Górny
0 siblings, 0 replies; 2+ messages in thread
From: Michał Górny @ 2020-03-29 7:31 UTC (permalink / raw
To: gentoo-commits
commit: 273961d6c3f521505238e0db5d39f8fafdb8562e
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Sun Mar 29 07:21:05 2020 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 07:31:16 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=273961d6
dev-python/rsa: Remove redundant versions
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
dev-python/rsa/Manifest | 1 -
dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch | 104 ---------------------
dev-python/rsa/rsa-3.2.3-r1.ebuild | 38 --------
3 files changed, 143 deletions(-)
diff --git a/dev-python/rsa/Manifest b/dev-python/rsa/Manifest
index 7c5f4761d40..86ef505328b 100644
--- a/dev-python/rsa/Manifest
+++ b/dev-python/rsa/Manifest
@@ -1,3 +1,2 @@
-DIST rsa-3.2.3.tar.gz 35628 BLAKE2B fa30e8212d0102b7763a5e8eb408d0778520d85d9428e12b603fdfa5982c559682c04fec2eac4723a8c9e06c9ed77365021a832c8ad96b07fa07eb93c5a626e2 SHA512 52b33e0278e6e1fed64b1cdebed29f7caa31fae733c2d5875e6cba5a045aaa829616799d8de84fdb63c546780dbdafcabf1f85f25930b8e663861151479ef7e2
DIST rsa-3.4.2.tar.gz 40956 BLAKE2B 9a6353c84329303c655e7a25fcfa2ca42ea846c913fac0c26fee4a27bb85f9380de876b2ec07ae2212eb37efe5d2e401b2672f187f74bbeee1e9ef1099629e36 SHA512 62b0ff31fb3b9c18ae65bd102329e69726b853560576b1b66b9b89b26d3ff79154239af7e7a581b6a27c7017cc013f738762cd9662777ef594cc11c5b1f8e267
DIST rsa-4.0.tar.gz 37385 BLAKE2B 2621ee732f15ea12283b723efb5e88847d3e030e8115bb4a3e986099fc94adc3409202d54b4350b0888deefd8dc801d8d3e57fef9e85f386ead53e4412da6d05 SHA512 e11106741cc4275246c986d39b3f028b5a4df6fbffdd08a78072ac3d3a9a7ade7a39789c504a2705f54d858a9bdbf03981251f32f9c45baba71e4a986e14b24e
diff --git a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch b/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch
deleted file mode 100644
index bfcfc33ed01..00000000000
--- a/dev-python/rsa/files/rsa-3.2.3-CVE-2016-1494.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-# HG changeset patch
-# User Filippo Valsorda <hi@filippo.io>
-# Date 1450226563 0
-# Node ID 0cbcc529926afd61c6df4f50cfc29971beafd2c2
-# Parent 2baab06c8b867b01ec82b02118d4872a931a0437
-Fix BB'06 attack in verify() by switching from parsing to comparison
-
-diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
---- a/rsa/pkcs1.py
-+++ b/rsa/pkcs1.py
-@@ -22,10 +22,10 @@
- At least 8 bytes of random padding is used when encrypting a message. This makes
- these methods much more secure than the ones in the ``rsa`` module.
-
--WARNING: this module leaks information when decryption or verification fails.
--The exceptions that are raised contain the Python traceback information, which
--can be used to deduce where in the process the failure occurred. DO NOT PASS
--SUCH INFORMATION to your users.
-+WARNING: this module leaks information when decryption fails. The exceptions
-+that are raised contain the Python traceback information, which can be used to
-+deduce where in the process the failure occurred. DO NOT PASS SUCH INFORMATION
-+to your users.
- '''
-
- import hashlib
-@@ -288,37 +288,23 @@
- :param pub_key: the :py:class:`rsa.PublicKey` of the person signing the message.
- :raise VerificationError: when the signature doesn't match the message.
-
-- .. warning::
--
-- Never display the stack trace of a
-- :py:class:`rsa.pkcs1.VerificationError` exception. It shows where in
-- the code the exception occurred, and thus leaks information about the
-- key. It's only a tiny bit of information, but every bit makes cracking
-- the keys easier.
--
- '''
-
-- blocksize = common.byte_size(pub_key.n)
-+ keylength = common.byte_size(pub_key.n)
- encrypted = transform.bytes2int(signature)
- decrypted = core.decrypt_int(encrypted, pub_key.e, pub_key.n)
-- clearsig = transform.int2bytes(decrypted, blocksize)
--
-- # If we can't find the signature marker, verification failed.
-- if clearsig[0:2] != b('\x00\x01'):
-- raise VerificationError('Verification failed')
-+ clearsig = transform.int2bytes(decrypted, keylength)
-
-- # Find the 00 separator between the padding and the payload
-- try:
-- sep_idx = clearsig.index(b('\x00'), 2)
-- except ValueError:
-- raise VerificationError('Verification failed')
--
-- # Get the hash and the hash method
-- (method_name, signature_hash) = _find_method_hash(clearsig[sep_idx+1:])
-+ # Get the hash method
-+ method_name = _find_method_hash(clearsig)
- message_hash = _hash(message, method_name)
-
-- # Compare the real hash to the hash in the signature
-- if message_hash != signature_hash:
-+ # Reconstruct the expected padded hash
-+ cleartext = HASH_ASN1[method_name] + message_hash
-+ expected = _pad_for_signing(cleartext, keylength)
-+
-+ # Compare with the signed one
-+ if expected != clearsig:
- raise VerificationError('Verification failed')
-
- return True
-@@ -351,24 +337,20 @@
- return hasher.digest()
-
-
--def _find_method_hash(method_hash):
-- '''Finds the hash method and the hash itself.
-+def _find_method_hash(clearsig):
-+ '''Finds the hash method.
-
-- :param method_hash: ASN1 code for the hash method concatenated with the
-- hash itself.
-+ :param clearsig: full padded ASN1 and hash.
-
-- :return: tuple (method, hash) where ``method`` is the used hash method, and
-- ``hash`` is the hash itself.
-+ :return: the used hash method.
-
- :raise VerificationFailed: when the hash method cannot be found
-
- '''
-
- for (hashname, asn1code) in HASH_ASN1.items():
-- if not method_hash.startswith(asn1code):
-- continue
--
-- return (hashname, method_hash[len(asn1code):])
-+ if asn1code in clearsig:
-+ return hashname
-
- raise VerificationError('Verification failed')
-
diff --git a/dev-python/rsa/rsa-3.2.3-r1.ebuild b/dev-python/rsa/rsa-3.2.3-r1.ebuild
deleted file mode 100644
index 0abc603ef08..00000000000
--- a/dev-python/rsa/rsa-3.2.3-r1.ebuild
+++ /dev/null
@@ -1,38 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-
-PYTHON_COMPAT=( python3_{6,7} )
-
-inherit distutils-r1
-
-DESCRIPTION="Pure-Python RSA implementation"
-HOMEPAGE="https://stuvel.eu/rsa https://pypi.org/project/rsa/"
-SRC_URI="mirror://pypi/${P:0:1}/${PN}/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64 arm x86"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-RDEPEND="
- >=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}]
- dev-python/traceback2[${PYTHON_USEDEP}]
- "
-DEPEND="${RDEPEND}
- >=dev-python/setuptools-0.6.10[${PYTHON_USEDEP}]
- test? (
- dev-python/nose[${PYTHON_USEDEP}]
- dev-python/unittest2[${PYTHON_USEDEP}]
- )
- "
-
-PATCHES=(
- "${FILESDIR}"/${P}-CVE-2016-1494.patch
-)
-
-python_test() {
- nosetests --verbose || die
-}
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-03-29 7:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-07 8:56 [gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/, dev-python/rsa/files/ Justin Lecher
-- strict thread matches above, loose matches on Subject: below --
2020-03-29 7:31 Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox