Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 699848 (CVE-2019-14853, CVE-2019-14859) - <dev-python/ecdsa-0.13.3: multiple vulnerabilities (CVE-2019-{14853,14859})
Summary: <dev-python/ecdsa-0.13.3: multiple vulnerabilities (CVE-2019-{14853,14859})
Status: RESOLVED FIXED
Alias: CVE-2019-14853, CVE-2019-14859
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2019-11-11 17:06 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-26 03:11 UTC (History)
4 users (show)

See Also:
Package list:
dev-python/ecdsa-0.14.1
Runtime testing required: No
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 17:06:53 UTC
CVE-2019-14853 (https://nvd.nist.gov/vuln/detail/CVE-2019-14853):
  A flaw was found in python-ecdsa. Unexpected and undocumented exceptions can
  be raised during signature decoding may lead to denial of service in some
  cases. All the versions between at least 0.5 and 0.13.2 are thought to be
  vulnerable.

CVE-2019-14859 (https://nvd.nist.gov/vuln/detail/CVE-2019-14859):
  A flaw was found in python-ecdsa before 0.13.3. The library is not verifying
  if the signatures actually use DER encoding for the signatures. This makes
  the signatures malleable and exposes use cases that further sign the
  signatures. In particular bitcoin.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2019-11-11 17:15:48 UTC
I don't see any <-deps, so let's stabilize 0.14.1.
Comment 2 Luke-Jr 2019-11-11 19:54:16 UTC
(In reply to GLSAMaker/CVETool Bot from comment #0)
> CVE-2019-14853 (https://nvd.nist.gov/vuln/detail/CVE-2019-14853):
>   A flaw was found in python-ecdsa. Unexpected and undocumented exceptions
> can
>   be raised during signature decoding may lead to denial of service in some
>   cases. All the versions between at least 0.5 and 0.13.2 are thought to be
>   vulnerable.

What software is actually affected by this?

> CVE-2019-14859 (https://nvd.nist.gov/vuln/detail/CVE-2019-14859):
>   A flaw was found in python-ecdsa before 0.13.3. The library is not
> verifying
>   if the signatures actually use DER encoding for the signatures. This makes
>   the signatures malleable and exposes use cases that further sign the
>   signatures. In particular bitcoin.

Eh? DER signatures are always malleable last I checked...? Why the claim this affects Bitcoin? Bitcoin doesn't use Python, and does expect malleable signatures.
Comment 3 Agostino Sarubbo gentoo-dev 2019-11-12 10:07:41 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-11-12 10:13:59 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-11-12 15:09:19 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-11-13 07:41:43 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-11-13 07:45:57 UTC
amd64 stable
Comment 8 Rolf Eike Beer archtester 2019-11-13 21:47:14 UTC
hppa stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-11-14 11:58:05 UTC
ia64 stable
Comment 10 Matt Turner gentoo-dev 2019-11-22 16:23:20 UTC
alpha stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-27 13:33:38 UTC
arm stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 01:06:34 UTC
@maintainer(s), please cleanup vulnerable versions.
Comment 13 Luke-Jr 2020-03-19 01:54:54 UTC
FWIW, metadata.xml claims I am the sole maintainer of this package, but I have never actually maintained or agreed to maintain it AFAIR... Not sure how I ended up added to metadata.xml for this in the first place.
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 01:56:46 UTC
(In reply to Luke-Jr from comment #13)
> FWIW, metadata.xml claims I am the sole maintainer of this package, but I
> have never actually maintained or agreed to maintain it AFAIR... Not sure
> how I ended up added to metadata.xml for this in the first place.

I'll drop you when I do a cleanup PR in a bit. Very odd!
Comment 15 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 06:31:04 UTC
(In reply to Luke-Jr from comment #13)
> FWIW, metadata.xml claims I am the sole maintainer of this package, but I
> have never actually maintained or agreed to maintain it AFAIR... Not sure
> how I ended up added to metadata.xml for this in the first place.

You've become the sole maintainer when other maintainers resigned.  You were added in 2012 in the initial commit, apparently as a dependency of net-misc/electrum.  Python will take care of that package.
Comment 16 Larry the Git Cow gentoo-dev 2020-03-19 06:35:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b1026b6ae37df29c07e90f41d3325ecf5a7168a

commit 8b1026b6ae37df29c07e90f41d3325ecf5a7168a
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-19 03:10:54 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-03-19 06:31:42 +0000

    dev-python/ecdsa: Drop the proxy-maintainer to m-n
    
    Luke-Jr does not want to be proxy maintainer
    of this package, and is not sure how he became it(!).
    See bug.
    
    Bug: https://bugs.gentoo.org/699848
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15009
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/ecdsa/metadata.xml | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f24e935a113dedd77d502364ca8dfb4991269a6b

commit f24e935a113dedd77d502364ca8dfb4991269a6b
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-19 03:07:31 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-03-19 06:31:40 +0000

    dev-python/ecdsa: Drop vulnerable versions
    
    Bug: https://bugs.gentoo.org/699848
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-python/ecdsa/Manifest            |  2 --
 dev-python/ecdsa/ecdsa-0.13.2.ebuild | 23 -----------------------
 dev-python/ecdsa/ecdsa-0.13.ebuild   | 23 -----------------------
 3 files changed, 48 deletions(-)
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 19:15:16 UTC
Tree is clean.
Comment 18 NATTkA bot gentoo-dev 2020-04-06 15:05:11 UTC
Unable to check for sanity:

> no match for package: dev-python/ecdsa-0.14.1
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2020-04-26 03:11:03 UTC
GLSA Vote: No

Thank you all for you work. 
Closing as [noglsa].