* [gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/files/, dev-python/rsa/
@ 2020-08-11 9:38 Michał Górny
0 siblings, 0 replies; 3+ messages in thread
From: Michał Górny @ 2020-08-11 9:38 UTC (permalink / raw
To: gentoo-commits
commit: 34a22092685c85bb93db50a961b50efab8b8bb3f
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Tue Aug 11 09:32:05 2020 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Tue Aug 11 09:37:52 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34a22092
dev-python/rsa: Backport CVE-2020-13757 fix to 3.4.2
Bug: https://bugs.gentoo.org/727888
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
.../rsa/files/rsa-3.4.2-cve-2020-13757.patch | 95 ++++++++++++++++++++++
.../{rsa-3.4.2-r1.ebuild => rsa-3.4.2-r2.ebuild} | 4 +
2 files changed, 99 insertions(+)
diff --git a/dev-python/rsa/files/rsa-3.4.2-cve-2020-13757.patch b/dev-python/rsa/files/rsa-3.4.2-cve-2020-13757.patch
new file mode 100644
index 00000000000..ccee6c0281b
--- /dev/null
+++ b/dev-python/rsa/files/rsa-3.4.2-cve-2020-13757.patch
@@ -0,0 +1,95 @@
+diff -Nur rsa-3.4.2.orig/rsa/pkcs1.py rsa-3.4.2/rsa/pkcs1.py
+--- rsa-3.4.2.orig/rsa/pkcs1.py 2020-07-05 10:28:57.622204136 +0200
++++ rsa-3.4.2/rsa/pkcs1.py 2020-07-05 10:30:28.103672033 +0200
+@@ -232,6 +232,12 @@
+ decrypted = priv_key.blinded_decrypt(encrypted)
+ cleartext = transform.int2bytes(decrypted, blocksize)
+
++ # Detect leading zeroes in the crypto. These are not reflected in the
++ # encrypted value (as leading zeroes do not influence the value of an
++ # integer). This fixes CVE-2020-13757.
++ if len(crypto) > blocksize:
++ raise DecryptionError('Decryption failed')
++
+ # If we can't find the cleartext marker, decryption failed.
+ if cleartext[0:2] != b('\x00\x02'):
+ raise DecryptionError('Decryption failed')
+@@ -310,6 +316,9 @@
+ cleartext = HASH_ASN1[method_name] + message_hash
+ expected = _pad_for_signing(cleartext, keylength)
+
++ if len(signature) != keylength:
++ raise VerificationError('Verification failed')
++
+ # Compare with the signed one
+ if expected != clearsig:
+ raise VerificationError('Verification failed')
+diff -Nur rsa-3.4.2.orig/tests/test_pkcs1.py rsa-3.4.2/tests/test_pkcs1.py
+--- rsa-3.4.2.orig/tests/test_pkcs1.py 2020-07-05 10:28:57.621204131 +0200
++++ rsa-3.4.2/tests/test_pkcs1.py 2020-07-05 10:32:26.858286153 +0200
+@@ -17,6 +17,7 @@
+ """Tests string operations."""
+
+ import struct
++import sys
+ import unittest
+
+ import rsa
+@@ -64,6 +65,35 @@
+
+ self.assertNotEqual(encrypted1, encrypted2)
+
++class ExtraZeroesTest(unittest.TestCase):
++ def setUp(self):
++ # Key, cyphertext, and plaintext taken from https://github.com/sybrenstuvel/python-rsa/issues/146
++ self.private_key = rsa.PrivateKey.load_pkcs1(
++ "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAs1EKK81M5kTFtZSuUFnhKy8FS2WNXaWVmi/fGHG4CLw98+Yo\n0nkuUarVwSS0O9pFPcpc3kvPKOe9Tv+6DLS3Qru21aATy2PRqjqJ4CYn71OYtSwM\n/ZfSCKvrjXybzgu+sBmobdtYm+sppbdL+GEHXGd8gdQw8DDCZSR6+dPJFAzLZTCd\nB+Ctwe/RXPF+ewVdfaOGjkZIzDoYDw7n+OHnsYCYozkbTOcWHpjVevipR+IBpGPi\n1rvKgFnlcG6d/tj0hWRl/6cS7RqhjoiNEtxqoJzpXs/Kg8xbCxXbCchkf11STA8u\ndiCjQWuWI8rcDwl69XMmHJjIQAqhKvOOQ8rYTQIDAQABAoIBABpQLQ7qbHtp4h1Y\nORAfcFRW7Q74UvtH/iEHH1TF8zyM6wZsYtcn4y0mxYE3Mp+J0xlTJbeVJkwZXYVH\nL3UH29CWHSlR+TWiazTwrCTRVJDhEoqbcTiRW8fb+o/jljVxMcVDrpyYUHNo2c6w\njBxhmKPtp66hhaDpds1Cwi0A8APZ8Z2W6kya/L/hRBzMgCz7Bon1nYBMak5PQEwV\nF0dF7Wy4vIjvCzO6DSqA415DvJDzUAUucgFudbANNXo4HJwNRnBpymYIh8mHdmNJ\n/MQ0YLSqUWvOB57dh7oWQwe3UsJ37ZUorTugvxh3NJ7Tt5ZqbCQBEECb9ND63gxo\n/a3YR/0CgYEA7BJc834xCi/0YmO5suBinWOQAF7IiRPU+3G9TdhWEkSYquupg9e6\nK9lC5k0iP+t6I69NYF7+6mvXDTmv6Z01o6oV50oXaHeAk74O3UqNCbLe9tybZ/+F\ndkYlwuGSNttMQBzjCiVy0+y0+Wm3rRnFIsAtd0RlZ24aN3bFTWJINIsCgYEAwnQq\nvNmJe9SwtnH5c/yCqPhKv1cF/4
jdQZSGI6/p3KYNxlQzkHZ/6uvrU5V27ov6YbX8\nvKlKfO91oJFQxUD6lpTdgAStI3GMiJBJIZNpyZ9EWNSvwUj28H34cySpbZz3s4Xd\nhiJBShgy+fKURvBQwtWmQHZJ3EGrcOI7PcwiyYcCgYEAlql5jSUCY0ALtidzQogW\nJ+B87N+RGHsBuJ/0cxQYinwg+ySAAVbSyF1WZujfbO/5+YBN362A/1dn3lbswCnH\nK/bHF9+fZNqvwprPnceQj5oK1n4g6JSZNsy6GNAhosT+uwQ0misgR8SQE4W25dDG\nkdEYsz+BgCsyrCcu8J5C+tUCgYAFVPQbC4f2ikVyKzvgz0qx4WUDTBqRACq48p6e\n+eLatv7nskVbr7QgN+nS9+Uz80ihR0Ev1yCAvnwmM/XYAskcOea87OPmdeWZlQM8\nVXNwINrZ6LMNBLgorfuTBK1UoRo1pPUHCYdqxbEYI2unak18mikd2WB7Fp3h0YI4\nVpGZnwKBgBxkAYnZv+jGI4MyEKdsQgxvROXXYOJZkWzsKuKxVkVpYP2V4nR2YMOJ\nViJQ8FUEnPq35cMDlUk4SnoqrrHIJNOvcJSCqM+bWHAioAsfByLbUPM8sm3CDdIk\nXVJl32HuKYPJOMIWfc7hIfxLRHnCN+coz2M6tgqMDs0E/OfjuqVZ\n-----END RSA PRIVATE KEY-----",
++ format='PEM')
++ cyphertext = "4501b4d669e01b9ef2dc800aa1b06d49196f5a09fe8fbcd037323c60eaf027bfb98432be4e4a26c567ffec718bcbea977dd26812fa071c33808b4d5ebb742d9879806094b6fbeea63d25ea3141733b60e31c6912106e1b758a7fe0014f075193faa8b4622bfd5d3013f0a32190a95de61a3604711bc62945f95a6522bd4dfed0a994ef185b28c281f7b5e4c8ed41176d12d9fc1b837e6a0111d0132d08a6d6f0580de0c9eed8ed105531799482d1e466c68c23b0c222af7fc12ac279bc4ff57e7b4586d209371b38c4c1035edd418dc5f960441cb21ea2bedbfea86de0d7861e81021b650a1de51002c315f1e7c12debe4dcebf790caaa54a2f26b149cf9e77d"
++ plaintext = "54657374"
++
++ if sys.version_info < (3, 0):
++ self.cyphertext = cyphertext.decode("hex")
++ self.plaintext = plaintext.decode('hex')
++ else:
++ self.cyphertext = bytes.fromhex(cyphertext)
++ self.plaintext = bytes.fromhex(plaintext)
++
++ def test_unmodified(self):
++ message = rsa.decrypt(self.cyphertext, self.private_key)
++ self.assertEqual(message, self.plaintext)
++
++ def test_prepend_zeroes(self):
++ cyphertext = b'\00\00' + self.cyphertext
++ with self.assertRaises(rsa.DecryptionError):
++ rsa.decrypt(cyphertext, self.private_key)
++
++ def test_append_zeroes(self):
++ cyphertext = self.cyphertext + b'\00\00'
++ with self.assertRaises(rsa.DecryptionError):
++ rsa.decrypt(cyphertext, self.private_key)
+
+ class SignatureTest(unittest.TestCase):
+ def setUp(self):
+@@ -105,3 +135,21 @@
+ signature2 = pkcs1.sign(message, self.priv, 'SHA-1')
+
+ self.assertEqual(signature1, signature2)
++
++ def test_prepend_zeroes(self):
++ """Prepending the signature with zeroes should be detected."""
++
++ message = b'je moeder'
++ signature = pkcs1.sign(message, self.priv, 'SHA-256')
++ signature = b'\00\00' + signature
++ with self.assertRaises(rsa.VerificationError):
++ pkcs1.verify(message, signature, self.pub)
++
++ def test_apppend_zeroes(self):
++ """Apppending the signature with zeroes should be detected."""
++
++ message = b'je moeder'
++ signature = pkcs1.sign(message, self.priv, 'SHA-256')
++ signature = signature + b'\00\00'
++ with self.assertRaises(rsa.VerificationError):
++ pkcs1.verify(message, signature, self.pub)
diff --git a/dev-python/rsa/rsa-3.4.2-r1.ebuild b/dev-python/rsa/rsa-3.4.2-r2.ebuild
similarity index 93%
rename from dev-python/rsa/rsa-3.4.2-r1.ebuild
rename to dev-python/rsa/rsa-3.4.2-r2.ebuild
index bc2b7755ef5..8b4366f95ce 100644
--- a/dev-python/rsa/rsa-3.4.2-r1.ebuild
+++ b/dev-python/rsa/rsa-3.4.2-r2.ebuild
@@ -29,6 +29,10 @@ DEPEND="${RDEPEND}
)
"
+PATCHES=(
+ "${FILESDIR}"/${P}-cve-2020-13757.patch
+)
+
python_test() {
nosetests --verbose || die
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/files/, dev-python/rsa/
@ 2022-07-18 20:49 Sam James
0 siblings, 0 replies; 3+ messages in thread
From: Sam James @ 2022-07-18 20:49 UTC (permalink / raw
To: gentoo-commits
commit: a34cfff94ac73ef6930d2de36cb4e89b4309b234
Author: Horea Christian <chr <AT> chymera <DOT> eu>
AuthorDate: Mon Jul 18 16:46:05 2022 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Mon Jul 18 20:48:58 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a34cfff9
dev-python/rsa: don't install LICENSE etc in site-packages
Closes: https://bugs.gentoo.org/859175
Package-Manager: Portage-3.0.30, Repoman-3.0.3
Signed-off-by: Horea Christian <chr <AT> chymera.eu>
Closes: https://github.com/gentoo/gentoo/pull/26466
Signed-off-by: Sam James <sam <AT> gentoo.org>
dev-python/rsa/files/rsa-4.8-includes.patch | 28 ++++++++++++++++++++++
.../rsa/{rsa-4.8-r1.ebuild => rsa-4.8-r2.ebuild} | 2 ++
2 files changed, 30 insertions(+)
diff --git a/dev-python/rsa/files/rsa-4.8-includes.patch b/dev-python/rsa/files/rsa-4.8-includes.patch
new file mode 100644
index 000000000000..181fd638d0de
--- /dev/null
+++ b/dev-python/rsa/files/rsa-4.8-includes.patch
@@ -0,0 +1,28 @@
+https://github.com/sybrenstuvel/python-rsa/commit/3031bf5c6ae64083431e849903b0104d2cfae893
+https://bugs.gentoo.org/859175
+
+From 3031bf5c6ae64083431e849903b0104d2cfae893 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
+Date: Thu, 27 Jan 2022 10:26:23 +0100
+Subject: [PATCH] Do not include arbitrary files in wheel
+
+Fix the include key to apply to sdist format only. Otherwise, the
+listed files are added to the top directory of wheel as well and end up
+being installed in top-level site-packages directory, e.g.:
+
+ * FILES:+usr/lib/python3.9/site-packages/CHANGELOG.md
+ * FILES:+usr/lib/python3.9/site-packages/LICENSE
+ * FILES:+usr/lib/python3.9/site-packages/README.md
+--- a/pyproject.toml
++++ b/pyproject.toml
+@@ -26,7 +26,9 @@ classifiers = [
+ "Topic :: Security :: Cryptography",
+ ]
+ include = [
+- "LICENSE", "README.md", "CHANGELOG.md",
++ { path = "LICENSE", format = "sdist" },
++ { path = "README.md", format = "sdist" },
++ { path = "CHANGELOG.md", format = "sdist" },
+ ]
+
+ [tool.poetry.dependencies]
diff --git a/dev-python/rsa/rsa-4.8-r1.ebuild b/dev-python/rsa/rsa-4.8-r2.ebuild
similarity index 94%
rename from dev-python/rsa/rsa-4.8-r1.ebuild
rename to dev-python/rsa/rsa-4.8-r2.ebuild
index fffb3c5c50ad..5a4cdf383088 100644
--- a/dev-python/rsa/rsa-4.8-r1.ebuild
+++ b/dev-python/rsa/rsa-4.8-r2.ebuild
@@ -29,6 +29,8 @@ RDEPEND="
>=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}]
"
+PATCHES=( "${FILESDIR}/${P}-includes.patch" )
+
distutils_enable_tests unittest
src_prepare() {
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/files/, dev-python/rsa/
@ 2022-08-21 18:58 Arthur Zamarin
0 siblings, 0 replies; 3+ messages in thread
From: Arthur Zamarin @ 2022-08-21 18:58 UTC (permalink / raw
To: gentoo-commits
commit: 79072333f1444d42666cf4313f7937c57414595f
Author: Arthur Zamarin <arthurzam <AT> gentoo <DOT> org>
AuthorDate: Sun Aug 21 18:57:49 2022 +0000
Commit: Arthur Zamarin <arthurzam <AT> gentoo <DOT> org>
CommitDate: Sun Aug 21 18:57:49 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79072333
dev-python/rsa: drop 4.8-r2
Signed-off-by: Arthur Zamarin <arthurzam <AT> gentoo.org>
dev-python/rsa/Manifest | 1 -
dev-python/rsa/files/rsa-4.8-includes.patch | 28 ---------------------
dev-python/rsa/rsa-4.8-r2.ebuild | 39 -----------------------------
3 files changed, 68 deletions(-)
diff --git a/dev-python/rsa/Manifest b/dev-python/rsa/Manifest
index b59318b0d575..deec8885fcd7 100644
--- a/dev-python/rsa/Manifest
+++ b/dev-python/rsa/Manifest
@@ -1,2 +1 @@
-DIST python-rsa-version-4.8.gh.tar.gz 73634 BLAKE2B 55f25b6747f4f0bad12cbbb75c6e6fdbe6f913265866f11430644b46f9d3a2f615e6ed460d04cc732cfe29f0a4e47b14f2581f29d523b3018272ef976a6a04aa SHA512 d65e5d3c902508f4ea7424099471cd68568b052b9647a87ceb155ecc444ba6a8bd0ebef6fe1bf38720a19193cd494a8b64f744cca5812d1a3bec28f3fa3a9a3d
DIST python-rsa-version-4.9.gh.tar.gz 59238 BLAKE2B 077679131fcd29a0f396ad9db45db9a6891be45afe96a328f66191d747f10d36a3248b0929d5c8270ff32a39d08a9c15d80973ba3af83f7368e792cf003f186a SHA512 0b49c1e5ffb6235ccb9e34c81ad717276c04956e21dd54c08b5cae7dd28ecc115235b2793c8bfc2fbb46a260e574d35cab23729567efeee108b79544793e60ad
diff --git a/dev-python/rsa/files/rsa-4.8-includes.patch b/dev-python/rsa/files/rsa-4.8-includes.patch
deleted file mode 100644
index 181fd638d0de..000000000000
--- a/dev-python/rsa/files/rsa-4.8-includes.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-https://github.com/sybrenstuvel/python-rsa/commit/3031bf5c6ae64083431e849903b0104d2cfae893
-https://bugs.gentoo.org/859175
-
-From 3031bf5c6ae64083431e849903b0104d2cfae893 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Micha=C5=82=20G=C3=B3rny?= <mgorny@gentoo.org>
-Date: Thu, 27 Jan 2022 10:26:23 +0100
-Subject: [PATCH] Do not include arbitrary files in wheel
-
-Fix the include key to apply to sdist format only. Otherwise, the
-listed files are added to the top directory of wheel as well and end up
-being installed in top-level site-packages directory, e.g.:
-
- * FILES:+usr/lib/python3.9/site-packages/CHANGELOG.md
- * FILES:+usr/lib/python3.9/site-packages/LICENSE
- * FILES:+usr/lib/python3.9/site-packages/README.md
---- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -26,7 +26,9 @@ classifiers = [
- "Topic :: Security :: Cryptography",
- ]
- include = [
-- "LICENSE", "README.md", "CHANGELOG.md",
-+ { path = "LICENSE", format = "sdist" },
-+ { path = "README.md", format = "sdist" },
-+ { path = "CHANGELOG.md", format = "sdist" },
- ]
-
- [tool.poetry.dependencies]
diff --git a/dev-python/rsa/rsa-4.8-r2.ebuild b/dev-python/rsa/rsa-4.8-r2.ebuild
deleted file mode 100644
index 5a4cdf383088..000000000000
--- a/dev-python/rsa/rsa-4.8-r2.ebuild
+++ /dev/null
@@ -1,39 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-DISTUTILS_USE_PEP517=poetry
-PYTHON_COMPAT=( python3_{8..11} )
-
-inherit distutils-r1
-
-MY_P=python-rsa-version-${PV}
-DESCRIPTION="Pure-Python RSA implementation"
-HOMEPAGE="
- https://stuvel.eu/rsa/
- https://github.com/sybrenstuvel/python-rsa/
- https://pypi.org/project/rsa/
-"
-SRC_URI="
- https://github.com/sybrenstuvel/python-rsa/archive/version-${PV}.tar.gz
- -> ${MY_P}.gh.tar.gz
-"
-S=${WORKDIR}/${MY_P}
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64 arm arm64 ppc ~ppc64 ~riscv sparc x86"
-
-RDEPEND="
- >=dev-python/pyasn1-0.1.3[${PYTHON_USEDEP}]
-"
-
-PATCHES=( "${FILESDIR}/${P}-includes.patch" )
-
-distutils_enable_tests unittest
-
-src_prepare() {
- rm tests/test_mypy.py || die
- distutils-r1_src_prepare
-}
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-21 18:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-18 20:49 [gentoo-commits] repo/gentoo:master commit in: dev-python/rsa/files/, dev-python/rsa/ Sam James
-- strict thread matches above, loose matches on Subject: below --
2022-08-21 18:58 Arthur Zamarin
2020-08-11 9:38 Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox