Summary: | <dev-python/rsa-{3.4.2-r2,4.1}: Information leak (ignores null bytes in ciphertext) (CVE-2020-13757) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mgorny, python |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/sybrenstuvel/python-rsa/issues/146 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: |
dev-python/rsa-4.2
|
Runtime testing required: | --- |
Bug Depends on: | 728460 | ||
Bug Blocks: |
Description
Sam James
2020-06-10 22:59:42 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb1fe2c80aa4ec640d06d4b3c2a0cc77b8e15eea commit eb1fe2c80aa4ec640d06d4b3c2a0cc77b8e15eea Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-06-11 06:42:44 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-06-11 06:42:59 +0000 dev-python/rsa: Bump to 4.1 Bug: https://bugs.gentoo.org/727888 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/rsa/Manifest | 1 + dev-python/rsa/rsa-4.1.ebuild | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) Sanity check failed:
> dev-python/rsa-4.1
> bdepend arm stable profile default/linux/arm/17.0 (1 total)
> dev-python/pyproject2setuppy[-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_6(-),python_targets_python3_7(-)]
> bdepend arm dev profile default/linux/arm/17.0/armv4 (31 total)
> dev-python/pyproject2setuppy[-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_6(-),python_targets_python3_7(-)]
All sanity-check issues have been resolved Upstream just released 4.2, reverting the use of Poetry. Let's do that instead since it's the same code but less deps. amd64 stable arm stable x86 stable arm64 stable. --- needs cleanup but can't yet The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7beacde9746149b88470517083dbc917524fdd75 commit 7beacde9746149b88470517083dbc917524fdd75 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-18 03:20:45 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-18 03:20:45 +0000 dev-python/rsa: drop vulnerable Bug: https://bugs.gentoo.org/727888 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-python/rsa/Manifest | 3 --- dev-python/rsa/rsa-3.4.2-r1.ebuild | 34 ---------------------------------- dev-python/rsa/rsa-4.0.ebuild | 25 ------------------------- dev-python/rsa/rsa-4.1.ebuild | 36 ------------------------------------ 4 files changed, 98 deletions(-) Reverted: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=443b221bc2827fdb36a001669870a8d093460c55 I missed the dependent bugs. @ maintainer(s): awscli-1 will *not* migrate to rsa-4.x anytime soon. Please consider adding https://src.fedoraproject.org/rpms/python-rsa/raw/el6/f/python-rsa-3.4.2-cve-2020-13757.patch instead. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34a22092685c85bb93db50a961b50efab8b8bb3f commit 34a22092685c85bb93db50a961b50efab8b8bb3f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-08-11 09:32:05 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-08-11 09:37:52 +0000 dev-python/rsa: Backport CVE-2020-13757 fix to 3.4.2 Bug: https://bugs.gentoo.org/727888 Signed-off-by: Michał Górny <mgorny@gentoo.org> .../rsa/files/rsa-3.4.2-cve-2020-13757.patch | 95 ++++++++++++++++++++++ .../{rsa-3.4.2-r1.ebuild => rsa-3.4.2-r2.ebuild} | 4 + 2 files changed, 99 insertions(+) @ maintainer(s): Thank you. All done, repository is clean. |