Bug 765166 (CVE-2020-25657)

Summary:	<dev-python/m2crypto-0.39.0: Bleichenbacher vulnerability (CVE-2020-25657)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mgorny, python
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://gitlab.com/m2crypto/m2crypto/-/issues/285
Whiteboard:	A4 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	909677
Bug Blocks:

Description Sam James archtester

2021-01-12 22:20:50 UTC

CVE text:
"A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality."

The CVE references https://gitlab.com/m2crypto/m2crypto/-/issues/285 but that gets called a duplicate of a private bug. So, it's unclear if this has been fixed, but no recent commits seem relevant.

Comment 1 Sam James archtester

2021-01-18 17:12:45 UTC

This needs to be fixed upstream in openssl, it seems:
https://github.com/openssl/openssl/issues/13421.

(See: https://gitlab.com/m2crypto/m2crypto/-/issues/285#note_486806844).

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:24:35 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:33:05 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:40:56 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:49:07 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:05:02 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:13:20 UTC

Package list is empty or all packages have requested keywords.

Comment 8 Sam James archtester

2023-07-05 01:20:39 UTC

From 0.39.0 release notes:
+- Mitigate the Bleichenbacher timing attacks in the RSA
+  decryption API (CVE-2020-25657)

Comment 9 Larry the Git Cow gentoo-dev

2023-07-05 01:24:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bb1942539605a4b4194a60b007aec3ca57a9139

commit 7bb1942539605a4b4194a60b007aec3ca57a9139
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-07-05 01:23:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-07-05 01:23:38 +0000

    dev-python/m2crypto: add 0.39.0
    
    Bug: https://bugs.gentoo.org/765166
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/m2crypto/Manifest               |  1 +
 dev-python/m2crypto/m2crypto-0.39.0.ebuild | 71 ++++++++++++++++++++++++++++++
 2 files changed, 72 insertions(+)

Comment 10 Michał Górny archtester

2023-08-04 15:08:12 UTC

cleanup done.

Comment 11 Hans de Graaff gentoo-dev

2023-09-03 13:54:48 UTC

GLSA vote: no.