Description: "Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation)."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb1fe2c80aa4ec640d06d4b3c2a0cc77b8e15eea commit eb1fe2c80aa4ec640d06d4b3c2a0cc77b8e15eea Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-06-11 06:42:44 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-06-11 06:42:59 +0000 dev-python/rsa: Bump to 4.1 Bug: https://bugs.gentoo.org/727888 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/rsa/Manifest | 1 + dev-python/rsa/rsa-4.1.ebuild | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+)
Sanity check failed: > dev-python/rsa-4.1 > bdepend arm stable profile default/linux/arm/17.0 (1 total) > dev-python/pyproject2setuppy[-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_6(-),python_targets_python3_7(-)] > bdepend arm dev profile default/linux/arm/17.0/armv4 (31 total) > dev-python/pyproject2setuppy[-python_single_target_python3_6(-),-python_single_target_python3_7(-),-python_single_target_python3_8(-),-python_single_target_python3_9(-),python_targets_python3_6(-),python_targets_python3_7(-)]
All sanity-check issues have been resolved
Upstream just released 4.2, reverting the use of Poetry. Let's do that instead since it's the same code but less deps.
amd64 stable
arm stable
x86 stable
arm64 stable. --- needs cleanup but can't yet
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7beacde9746149b88470517083dbc917524fdd75 commit 7beacde9746149b88470517083dbc917524fdd75 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-18 03:20:45 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-18 03:20:45 +0000 dev-python/rsa: drop vulnerable Bug: https://bugs.gentoo.org/727888 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-python/rsa/Manifest | 3 --- dev-python/rsa/rsa-3.4.2-r1.ebuild | 34 ---------------------------------- dev-python/rsa/rsa-4.0.ebuild | 25 ------------------------- dev-python/rsa/rsa-4.1.ebuild | 36 ------------------------------------ 4 files changed, 98 deletions(-)
Reverted: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=443b221bc2827fdb36a001669870a8d093460c55 I missed the dependent bugs.
@ maintainer(s): awscli-1 will *not* migrate to rsa-4.x anytime soon. Please consider adding https://src.fedoraproject.org/rpms/python-rsa/raw/el6/f/python-rsa-3.4.2-cve-2020-13757.patch instead.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=34a22092685c85bb93db50a961b50efab8b8bb3f commit 34a22092685c85bb93db50a961b50efab8b8bb3f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-08-11 09:32:05 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-08-11 09:37:52 +0000 dev-python/rsa: Backport CVE-2020-13757 fix to 3.4.2 Bug: https://bugs.gentoo.org/727888 Signed-off-by: Michał Górny <mgorny@gentoo.org> .../rsa/files/rsa-3.4.2-cve-2020-13757.patch | 95 ++++++++++++++++++++++ .../{rsa-3.4.2-r1.ebuild => rsa-3.4.2-r2.ebuild} | 4 + 2 files changed, 99 insertions(+)
@ maintainer(s): Thank you. All done, repository is clean.