Bug 662564 (CVE-2018-10903)

Summary:	<dev-python/cryptography-2.2.2-r1 - GCM tag forgery via truncated tag in finalize_with_tag API
Product:	Gentoo Security	Reporter:	OzTiram <oz.tiram>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	jstein, python, whissi
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/9405
Whiteboard:	B3 [noglsa cve]
Package list:		Runtime testing required:	---

Description OzTiram 2018-08-01 05:47:49 UTC

A know CVE was published or cryptography versions found in Gentoo.

https://nvd.nist.gov/vuln/detail/CVE-2018-10903

Please update cryptography to version 2.3.

Happy to lend a hand in ebuild testing!

Comment 1 Larry the Git Cow gentoo-dev

2018-08-01 17:52:03 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc82ed8c77227b67d20d84d0a05cffb8be68f26d

commit bc82ed8c77227b67d20d84d0a05cffb8be68f26d
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2018-08-01 17:40:20 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2018-08-01 17:50:27 +0000

    dev-python/cryptography: 2.2.2-r1 for CVE-2018-10903 with cleanup
    
    Fast stable as well
    
    Bug: https://bugs.gentoo.org/662564
    Package-Manager: Portage-2.3.43, Repoman-2.3.10

 .../cryptography-vectors-1.7.1.ebuild              | 25 -------
 .../cryptography-vectors-2.0.2.ebuild              | 25 -------
 .../cryptography-vectors-2.1.4.ebuild              | 25 -------
 .../cryptography-vectors-2.2.2.ebuild              |  2 +-
 .../cryptography-vectors-2.3.ebuild                |  2 +-
 dev-python/cryptography/Manifest                   |  3 -
 .../cryptography/cryptography-1.7.1-r1.ebuild      | 52 ---------------
 dev-python/cryptography/cryptography-1.7.1.ebuild  | 50 --------------
 .../cryptography/cryptography-2.0.2-r1.ebuild      | 51 ---------------
 .../cryptography/cryptography-2.1.4-r1.ebuild      | 68 -------------------
 dev-python/cryptography/cryptography-2.1.4.ebuild  | 63 ------------------
 ....1.4-r2.ebuild => cryptography-2.2.2-r1.ebuild} |  3 +-
 dev-python/cryptography/cryptography-2.2.2.ebuild  | 68 -------------------
 dev-python/cryptography/files/CVE-2018-10903.patch | 76 ++++++++++++++++++++++
 14 files changed, 80 insertions(+), 433 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f9ba7fc9d66809b602189bbd2650eac8d86d91a

commit 3f9ba7fc9d66809b602189bbd2650eac8d86d91a
Author:     Oz Tiram <oz.tiram@gmail.com>
AuthorDate: 2018-08-01 08:51:05 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2018-08-01 17:35:17 +0000

    dev-python/cryptography: bump version to 2.3
    
    libressl is now supported upstream, removing patches
    
    Bug: https://bugs.gentoo.org/662564
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 dev-python/cryptography-vectors/Manifest           |  1 +
 .../cryptography-vectors-2.3.ebuild                | 25 ++++++++
 dev-python/cryptography/Manifest                   |  1 +
 dev-python/cryptography/cryptography-2.3.ebuild    | 67 ++++++++++++++++++++++
 4 files changed, 94 insertions(+)

Comment 2 Matthew Thode ( prometheanfire ) archtester

2018-08-01 17:52:55 UTC

cleaned up

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2018-08-05 22:45:23 UTC

*** Bug 662886 has been marked as a duplicate of this bug. ***