Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 551556 - <dev-python/pyjwt-1.3.0: signature verification bypass, wrong key used
Summary: <dev-python/pyjwt-1.3.0: signature verification bypass, wrong key used
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://auth0.com/blog/2015/03/31/cri...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 551850
Blocks:
  Show dependency tree
 
Reported: 2015-06-09 13:33 UTC by Sam James
Modified: 2015-08-10 14:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-06-09 13:33:56 UTC 
From URL:
----
I found many libraries with critical vulnerabilities allowing attackers to bypass the verification step.
----

Upstream's advisory is a blog post with analysis: no concise explanations that are logical without the (long) context of the post.
http://www.openwall.com/lists/oss-security/2015/04/01/4
https://github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a
http://jwt.io/

There is no CVE for this bug as far as I can see, although CVE-2015-2951 is assigned to the PHP library.
jwt.io says <1.0.1 is vulnerable.

In our tree, we have:
0.2.1 (stable) (vulnerable)
1.3.0 (unstable) (invulnerable)

Is 1.3.0 OK for stabilisation?




Reproducible: Always
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-06-12 00:43:57 UTC 
With the fast tracking of security status this looks fine.
Arch teams please stabilise dev-python/pyjwt-1.3.0
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-06-13 06:29:10 UTC 
Arm keyword was dropped:
30 May 2015; Maxim Koltsov <maksbotan@gentoo.org> +pyjwt-1.3.0.ebuild:
17	  Bump to 1.3.0. Dropped arm keyword as dev-python/pytest-runner doesn't have it
Comment 3 Agostino Sarubbo gentoo-dev 2015-06-13 10:26:08 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-06-13 10:27:25 UTC 
x86 stable
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-07-06 12:01:56 UTC 
Arches, Thank you for your work.

CVE Requested - http://seclists.org/oss-sec/2015/q2/3
Arm went non-stable for this version (see comment 2).

Maintainer(s), please drop the vulnerable version(s).

Security Please Vote.
GLSA Vote: No
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2015-07-15 04:43:53 UTC 
  15 Jul 2015; Ian Delaney <idella4@gentoo.org> -pyjwt-0.2.1.ebuild,
  pyjwt-1.3.0.ebuild:
  drop old wrt bug #551556
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-15 10:39:34 UTC 
Still pending a CVE. 

Need votes for GLSA.
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-08-10 14:48:55 UTC 
GLSA Vote: No
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-10 14:49:15 UTC 
GLSA vote: no