Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534534 - <dev-python/python-gnupg-0.37: Incomplete fix for CVE-2013-7323 (CVE-2014-1929)
Summary: <dev-python/python-gnupg-0.37: Incomplete fix for CVE-2013-7323 (CVE-2014-1929)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-03 21:16 UTC by GLSAMaker/CVETool Bot
Modified: 2016-03-31 08:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 21:16:18 UTC
CVE-2014-1929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1929):
  python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an
  unspecified impact via vectors related to "option injection through
  positional arguments." NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2013-7323.


Maintainer(s), please bump to 0.3.7 and drop 0.3.6.
Comment 1 Tomáš Mózes 2015-02-04 14:22:35 UTC
The tests fail when using the package from pypi. One needs to:
1) grab files from:
https://bitbucket.org/vinay.sajip/python-gnupg/src/86ad1efe4563fa2772016037c44ad6b9464bf96b/test_pubring.gpg?at=default
https://bitbucket.org/vinay.sajip/python-gnupg/src/86ad1efe4563fa2772016037c44ad6b9464bf96b/test_secring.gpg?at=default

2) patch according to:
https://bitbucket.org/vinay.sajip/python-gnupg/commits/79c73a9ce6e33555246f9dae2ef4be9964e2704b

$ python test_gnupg.py 
test_deletion (__main__.GPGTestCase)
Test that key deletion works ... ok
test_encryption_and_decryption (__main__.GPGTestCase)
Test that encryption and decryption works ... ok
test_environment (__main__.GPGTestCase)
Test the environment by ensuring that setup worked ... ok
test_file_encryption_and_decryption (__main__.GPGTestCase)
Test that encryption/decryption to/from file works ... ok
test_filenames_with_spaces (__main__.GPGTestCase)
Test that filenames with spaces are correctly handled ... ok
test_import_and_export (__main__.GPGTestCase)
Test that key import and export works ... ok
test_import_only (__main__.GPGTestCase)
Test that key import works ... ok
test_key_generation_with_colons (__main__.GPGTestCase)
Test that key generation handles colons in key fields ... ok
test_key_generation_with_empty_value (__main__.GPGTestCase)
Test that key generation handles empty values ... ok
test_key_generation_with_escapes (__main__.GPGTestCase)
Test that key generation handles escape characters ... ok
test_key_generation_with_invalid_key_type (__main__.GPGTestCase)
Test that key generation handles invalid key type ... ok
test_list_keys_after_generation (__main__.GPGTestCase)
Test that after key generation, the generated key is available ... ok
test_list_keys_initial (__main__.GPGTestCase)
Test that initially there are no keys ... ok
test_make_args (__main__.GPGTestCase)
Test argument line construction ... ok
test_nogpg (__main__.GPGTestCase)
Test that absence of gpg is handled correctly ... ok
test_quote_with_shell (__main__.GPGTestCase)
Test shell quoting with a real shell ... ok
test_scan_keys (__main__.GPGTestCase)
Test that external key files can be scanned ... ok
test_search_keys (__main__.GPGTestCase)
Test that searching for keys works ... ok
test_signature_file (__main__.GPGTestCase)
Test that signing and verification works via the GPG output ... ok
test_signature_verification (__main__.GPGTestCase)
Test that signing and verification works ... ok
encrypt (gnupg.GPG)
Doctest: gnupg.GPG.encrypt ... ok
gen_key (gnupg.GPG)
Doctest: gnupg.GPG.gen_key ... ok
import_keys (gnupg.GPG)
Doctest: gnupg.GPG.import_keys ... ok
list_keys (gnupg.GPG)
Doctest: gnupg.GPG.list_keys ... ok
recv_keys (gnupg.GPG)
Doctest: gnupg.GPG.recv_keys ... ok
search_keys (gnupg.GPG)
Doctest: gnupg.GPG.search_keys ... ok
verify (gnupg.GPG)
Doctest: gnupg.GPG.verify ... ok

----------------------------------------------------------------------
Ran 27 tests in 31.300s

OK
Comment 2 Patrice Clement gentoo-dev 2015-02-04 14:28:45 UTC
I've also opened a bug to mention the testsuite size script, which is a pain to debug:

https://bitbucket.org/vinay.sajip/python-gnupg/issue/27/break-down-python-gnupg-testsuite-into
Comment 3 Tomáš Mózes 2015-02-04 14:36:52 UTC
(In reply to Tomas Mozes from comment #1)
> The tests fail when using the package from pypi. One needs to:
> 1) grab files from:
> https://bitbucket.org/vinay.sajip/python-gnupg/src/
> 86ad1efe4563fa2772016037c44ad6b9464bf96b/test_pubring.gpg?at=default
> https://bitbucket.org/vinay.sajip/python-gnupg/src/
> 86ad1efe4563fa2772016037c44ad6b9464bf96b/test_secring.gpg?at=default
> 
> 2) patch according to:
> https://bitbucket.org/vinay.sajip/python-gnupg/commits/
> 79c73a9ce6e33555246f9dae2ef4be9964e2704b

It turns out that the github release has the 2 test files:
https://github.com/vsajip/python-gnupg/archive/0.3.7.tar.gz

So we just need to apply patch:
https://github.com/vsajip/python-gnupg/commit/699b8f0ef62b2c759252d82faf1d4b607dcb0892
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2015-02-04 16:07:24 UTC
The SRC_URI needs updating to github in the bumped version.

In order to see the suite pass, the file patched in the commit is the key file 
gnupg.py.  The testsuite appears to fail only 1 test under pypy which is a minor player as an impl. Ack to contribution of Tomas and Patrice.
This bump to 0.3.7 looks satisfactory, need testrun a little more before bumping.
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2015-02-05 02:13:05 UTC
*python-gnupg-0.3.7 (05 Feb 2015)

  05 Feb 2015; Ian Delaney <idella4@gentoo.org>
  +files/python-gnupg-0.3.7-msg-handle.patch, +python-gnupg-0.3.7.ebuild,
  -files/python-gnupg-0.3.2-fast-random.patch, -python-gnupg-0.3.6.ebuild:
  bump; update HOMEPAGE & SRC_URI, rm disused patch and 0.3.6. required by bug
  #534534
Comment 6 Patrice Clement gentoo-dev 2015-02-06 16:24:33 UTC
Follow-up on the bug I've opened on bitbucket:

Vinay Sajip repo owner changed status to WONTFIX

It doesn't seem especially large for a test file (it's probably grown a bit since 0.3.6). I don't plan to change the structure, because of the way I construct subsets of the tests I want to run from the command line via command line arguments.

If you want to propose a patch which preserves this current functionality of the tests, I'll consider it - but as I say, I don't believe the current size is too large.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-31 08:23:27 UTC
Package was bumped and no vulnerable versions are in the tree.