Bug 23339

Summary: python-cryptography new security issue fixed upstream in 2.3 (CVE-2018-10903)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, bruno, geiger.david68210, herman.viaene, makowski.mageia, marja11, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: python-cryptography-2.2.2-1.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 23803, 23810    
Bug Blocks: 23111    

Description David Walser 2018-07-22 18:24:03 CEST 
Fedora has issued an advisory today (July 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKC5JVSO26YBOAYNY4HDSDFREMO4DS67/

The issue was fixed in 2.3.

Mageia 6 is also affected.
David Walser 2018-07-22 18:24:11 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-07-22 18:36:01 CEST 
Assigning to the python stack maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => python
CC: (none) => makowski.mageia, marja11

Comment 2 David Walser 2018-07-24 17:42:34 CEST 
Ubuntu has issued an advisory for this on July 23:
https://usn.ubuntu.com/3720-1/

Summary: python-cryptography new security issue fixed upstream in 2.3 => python-cryptography new security issue fixed upstream in 2.3 (CVE-2018-10903)

David Walser 2018-07-25 11:16:50 CEST

Blocks: (none) => 23111
CC: (none) => geiger.david68210

Comment 3 Bruno Cornec 2018-10-24 20:28:28 CEST 
Cauldron updated with:
python-cryptography-vectors-2.3.1-1.mga7
python-cryptography-2.3.1-1.mga7

Whiteboard: MGA6TOO => (none)
Assignee: python => bruno
Version: Cauldron => 6
CC: (none) => bruno
Status: NEW => ASSIGNED

Comment 4 Bruno Cornec 2018-10-25 00:34:03 CEST 
mga6 updated with:
python-cryptography-vectors-2.3.1-1.mga6
python-cryptography-2.3.1-1.mga6

Assignee: bruno => qa-bugs

Comment 5 David Walser 2018-10-25 00:47:17 CEST 
Advisory:
========================

Updated python-cryptography packages fix security vulnerability:

The finalize_with_tag API did not enforce a minimum tag length. If a user did
not validate the input length prior to passing it to finalize_with_tag an
attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such
that they would have a 1 in 256 chance of passing the MAC check. GCM tag
forgeries can cause key leakage (CVE-2018-10903).

The python-cryptography and python-cryptography-vectors packages have been
updated to version 2.3.1.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10903
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VKC5JVSO26YBOAYNY4HDSDFREMO4DS67/
========================

Updated packages in core/updates_testing:
========================
python-cryptography-2.3.1-1.mga6
python3-cryptography-2.3.1-1.mga6
python-cryptography-vectors-2.3.1-1.mga6
python3-cryptography-vectors-2.3.1-1.mga6

from SRPMS:
python-cryptography-2.3.1-1.mga6.src.rpm
python-cryptography-vectors-2.3.1-1.mga6.src.rpm
Comment 6 Herman Viaene 2018-10-30 14:24:33 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Ref bug 19736 Comment 4
at CLI
$ python -c 'import cryptography;print(cryptography.__version__)'
2.3.1
$ python3 -c 'import cryptography;print(cryptography.__version__)'
2.3.1
So OK for me.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2018-11-02 20:28:26 CET 
MGA6-64 Plasma system.

No installation issues with 64-bit, either. The commands Herman used have the same result. So, OK for 64-bit, too.

Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => MGA6-64-OK MGA6-32-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2018-11-03 12:15:08 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 8 Mageia Robot 2018-11-03 12:56:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0429.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 9 David GEIGER 2018-11-04 07:17:36 CET 
Looks like there is a missing pkg with this update:

A requested package cannot be installed:
python-cryptography-2.3.1-1.mga6.x86_64
python-cryptography-2.3.1-1.mga6.x86_64 (due to unsatisfied
pythonegg(2)(asn1crypto)[>= 0.21.0])
Comment 10 Marja Van Waes 2018-11-04 12:43:18 CET 
(In reply to David GEIGER from comment #9)
> Looks like there is a missing pkg with this update:
> 
> A requested package cannot be installed:
> python-cryptography-2.3.1-1.mga6.x86_64
> python-cryptography-2.3.1-1.mga6.x86_64 (due to unsatisfied
> pythonegg(2)(asn1crypto)[>= 0.21.0])

someone already filed bug 23803 for that.
Comment 11 Bruno Cornec 2018-11-06 01:44:57 CET 
Strangely enough that wasn't seen by QA testers (nor myself).
Is it possible to push python-asn1crypto from updates_testing as well (I just pushed it again) so that this issue is solved ?

TIA.
Comment 12 Marja Van Waes 2018-11-06 12:40:03 CET 
(In reply to Bruno Cornec from comment #11)
> Strangely enough that wasn't seen by QA testers (nor myself).
> Is it possible to push python-asn1crypto from updates_testing as well (I
> just pushed it again) so that this issue is solved ?
> 
> TIA.

Reopenening this report and assigning to sysadmin team.

Depends on: (none) => 23803
Assignee: qa-bugs => sysadmin-bugs

Comment 13 Marja Van Waes 2018-11-06 12:40:29 CET 
(In reply to Marja Van Waes from comment #12)
> (In reply to Bruno Cornec from comment #11)
> > Strangely enough that wasn't seen by QA testers (nor myself).
> > Is it possible to push python-asn1crypto from updates_testing as well (I
> > just pushed it again) so that this issue is solved ?
> > 
> > TIA.
> 
> Reopenening this report and assigning to sysadmin team.

Really reopening now :-(

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 14 David Walser 2018-11-06 12:54:33 CET 
Still needs to be assigned to QA so sysadmins will see it.

Assignee: sysadmin-bugs => qa-bugs

Comment 15 Thomas Backlund 2018-11-06 13:08:43 CET 
Package move in progress...

I think QA should start always using the QA tool done by martinw for the big qt/plasma update on all update testings to catch missed package issues like this...

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 16 Marja Van Waes 2018-11-10 07:25:42 CET 
(In reply to Thomas Backlund from comment #15)
> Package move in progress...
> 
> I think QA should start always using the QA tool done by martinw for the big
> qt/plasma update on all update testings to catch missed package issues like
> this...

Do you mind also moving python-cffi srpm and its rpms?

See bug 23810 [unsatisfied pythonegg(2)(cffi) trying to install python-cryptography-2.3.1-1.mga6.x86_64]

Depends on: (none) => 23810

Comment 17 Thomas Backlund 2018-11-10 12:35:06 CET 
python-cffi-1.7.0-1.mga6 move in progress
Comment 18 Thomas Andrews 2018-11-10 15:36:35 CET 
Checked out in VirtualBox. Packages now update without incident.