Bug 26954

Summary: python-rsa new security issue CVE-2020-13757
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: nicolas.salguero, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: python-rsa-4.0-1.mga7.src.rpm CVE: CVE-2020-13757
Status comment:
Attachments: Testcase for 2048-bit cipher
3072-bit vector testcase for python-rsa
4096-bit vector testcase for python-rsa

Description David Walser 2020-07-14 23:19:09 CEST 
Fedora has issued an advisory today (July 14):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW/

The issue is fixed upstream in 4.1.

Mageia 7 is also affected.
David Walser 2020-07-14 23:19:33 CEST

Status comment: (none) => Fixed upstream in 4.1
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-07-16 21:21:10 CEST 
This SRPM is maintained by various people, so assigning this bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2020-09-03 10:43:59 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation). (CVE-2020-13757)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13757
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW/
========================

Updated packages in core/updates_testing:
========================
python2-rsa-4.0-1.1.mga7
python3-rsa-4.0-1.1.mga7

from SRPM:
python-rsa-4.0-1.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
CVE: (none) => CVE-2020-13757
Version: Cauldron => 7
Status comment: Fixed upstream in 4.1 => (none)
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Source RPM: python-rsa-4.0-3.mga8.src.rpm => python-rsa-4.0-1.mga7.src.rpm

Comment 3 Len Lawrence 2020-09-05 10:33:50 CEST 
Created attachment 11866 [details]
Testcase for 2048-bit cipher

https://github.com/sybrenstuvel/python-rsa/issues/146
This works for python3.  There is a missing fromhex problem in python2.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2020-09-05 10:50:28 CEST 
mga7, x86_64

CVE-2020-13757
There are testcases for this at
https://github.com/sybrenstuvel/python-rsa/issues/146

Before update:
2048-bit cypher
$ python2 pkcs1_2048.py

Test with prepended bytes to ciphertext

Traceback (most recent call last):
  File "pkcs1_2048.py", line 61, in <module>
    ct = bytes.fromhex("00004501b4d669e01b9ef2dc800aa1b06d49196f5a09fe8fbcd037323c60eaf027bfb98432be4e4a26c567ffec718bcbea977dd26812fa071c33808b4d5ebb742d9879806094b6fbeea63d25ea3141733b60e31c6912106e1b758a7fe0014f075193faa8b4622bfd5d3013f0a32190a95de61a3604711bc62945f95a6522bd4dfed0a994ef185b28c281f7b5e4c8ed41176d12d9fc1b837e6a0111d0132d08a6d6f0580de0c9eed8ed105531799482d1e466c68c23b0c222af7fc12ac279bc4ff57e7b4586d209371b38c4c1035edd418dc5f960441cb21ea2bedbfea86de0d7861e81021b650a1de51002c315f1e7c12debe4dcebf790caaa54a2f26b149cf9e77d")
AttributeError: type object 'str' has no attribute 'fromhex'

$ python3 pkcs1_2048.py

Test with prepended bytes to ciphertext
[!] No errors in decryption
message == pt? True
Test with appended bytes to ciphertext
[*] Invalid decryption
Test with original ciphertext
[!] No errors in decryption
message == pt? True
 
After updating:
Avoided the python2 test because of the missing fromhex module.
$ python3 pkcs1_2048.py
Test with prepended bytes to ciphertext
[*] Invalid decryption
Test with appended bytes to ciphertext
[*] Invalid decryption
Test with original ciphertext
[!] No errors in decryption
message == pt? True

The prepended null bytes test now reyrns invalid, which is the expected behaviour.

Running this code is probably a good enough test of the packages but leaving this bug open in case somebody with knowledge of the python2 hinterland can correct the fromhex problem.
Comment 5 Len Lawrence 2020-09-06 09:40:40 CEST 
Ran the 3072 and 4096-bit testcases as well, after the update.  Both worked as expected.
$ python3 vector_3072.py
Test with prepended bytes to ciphertext
[*] Invalid decryption
Test with original ciphertext
[!] No errors in decryption
message == pt? True

$ python3 vector_4096.py
Test with prepended bytes to ciphertext
[*] Invalid decryption
Test with original ciphertext
[!] No errors in decryption
message == pt? True

Giving this an OK for 64-bits.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Len Lawrence 2020-09-06 09:46:37 CEST 
Created attachment 11867 [details]
3072-bit vector testcase for python-rsa

Testcase is for malicious insertion of null bytes before enciphered message text.
Currently works for python3 only.
Comment 7 Len Lawrence 2020-09-06 09:47:56 CEST 
Created attachment 11868 [details]
4096-bit vector testcase for python-rsa
Len Lawrence 2020-09-06 09:49:05 CEST

Whiteboard: MGA7-64-OK => has_procedure, MGA7-64-OK

Len Lawrence 2020-09-06 10:05:52 CEST

Whiteboard: has_procedure, MGA7-64-OK => MGA7-64-OK

David Walser 2020-09-06 14:05:47 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => has_procedure, validated_update

Aurelien Oudelet 2020-09-06 19:56:44 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-09-06 22:34:14 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0364.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED