Bug 760702 (CVE-2020-25658)

Summary:	<dev-python/rsa-4.7: timing attack vulnerability (CVE-2020-25658)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	mgorny
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/sybrenstuvel/python-rsa/issues/165
Whiteboard:	B4 [glsa?]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2020-12-19 08:12:33 UTC

CVE-2020-25658:

It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.


Upstream issue at $URL. Issue was closed by a patch, but it seems there's some uncertainty about whether the patch adequately addresses the security issue.

Comment 1 Sam James archtester

2021-01-10 12:39:19 UTC

4.7 is now out with a proper fix, it seems

Comment 2 Michał Górny archtester

2021-01-10 19:01:10 UTC

I'm going to push it shortly, just want to test all revdeps.

Comment 3 NATTkA bot gentoo-dev

2021-01-10 19:04:55 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/rsa-4.7

Comment 4 NATTkA bot gentoo-dev

2021-01-10 19:21:00 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 5 Sam James archtester

2021-01-11 19:13:16 UTC

arm64 done

Comment 6 Sam James archtester

2021-01-11 19:13:54 UTC

arm done

Comment 7 Sam James archtester

2021-01-11 22:19:59 UTC

amd64 ppc sparc x86 (ALLARCHES) done

all arches done

Comment 8 Sam James archtester

2021-01-11 22:33:29 UTC

Please cleanup, thanks!

Comment 9 Larry the Git Cow gentoo-dev

2021-01-11 22:48:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a0a76ae11cccd6046a21ea096d5ead335955603

commit 4a0a76ae11cccd6046a21ea096d5ead335955603
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-01-11 22:48:09 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-01-11 22:48:12 +0000

    dev-python/rsa: Remove old
    
    Bug: https://bugs.gentoo.org/760702
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/rsa/Manifest       |  1 -
 dev-python/rsa/rsa-4.2.ebuild | 35 -----------------------------------
 2 files changed, 36 deletions(-)

Comment 10 NATTkA bot gentoo-dev

2021-03-19 21:41:01 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/rsa-4.7

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:24:59 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:33:32 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:41:25 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 NATTkA bot gentoo-dev

2021-07-29 17:49:33 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 15 NATTkA bot gentoo-dev

2021-07-29 18:05:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 18:13:46 UTC

Package list is empty or all packages have requested keywords.