Bug 30661

Summary: python-m2crypto new security issue CVE-2020-25657
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs, yvesbrungard
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: python-m2crypto-0.38.0-3.mga9.src.rpm CVE: CVE-2020-25657
Status comment:

Description David Walser 2022-07-22 17:03:29 CEST 
SUSE has issued an advisory today (July 22):
https://lists.suse.com/pipermail/sle-security-updates/2022-July/011631.html

Mageia 8 is also affected.
David Walser 2022-07-22 17:03:49 CEST

Whiteboard: (none) => MGA8TOO

Comment 2 papoteur 2022-07-24 22:26:40 CEST 
Submitted release 0.38.0 with commit "Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657)"

python3-m2crypto-0.38.0-4.mga8
Source:
python-m2crypto-0.38.0-4.mga8.src.rpm

Version: Cauldron => 8
CC: (none) => yves.brungard_mageia
Assignee: python => qa-bugs
CVE: (none) => CVE-2020-25657

David Walser 2022-07-24 22:45:46 CEST

Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2022-07-26 10:43:01 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues.
# urpmq --whatrequires python3-m2crypto
dropbox-servicemenu
python3-m2crypto
Installed dropbox-servicemenu and googled around, but could not make any sense. e.g. some pages refer to an install script I don't find anywhere. Note that I don't have a dropbox account.
Ref. then bug 17179 and tried
$ python3
Python 3.8.12 (default, Sep 12 2021, 19:57:22) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import M2Crypto
>>> M2Crypto.EVP.pbkdf2('foo', 'abc', 1, 74)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.8/site-packages/M2Crypto/EVP.py", line 36, in pbkdf2
    return m2.pkcs5_pbkdf2_hmac_sha1(password, salt, iter, keylen)
TypeError: expected a readable buffer object
So, I'm lost here again. Otherwise installing this does not seem to harm anything else.

CC: (none) => herman.viaene

Comment 4 papoteur 2022-07-26 12:36:05 CEST 
Try with this command. The referenced bug report was for Python 2.
import M2Crypto
M2Crypto.EVP.pbkdf2(b'foo', b'abc', 1, 74)
Comment 5 papoteur 2022-07-27 17:59:52 CEST 
With updated release:
python3
Python 3.8.12 (default, Sep 12 2021, 19:57:22) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import M2Crypto
>>> M2Crypto.EVP.pbkdf2(b'foo', b'abc', 1, 74)
b'2n\x13\xdd\xab\xb1N\xbc\xc0\xb3\x16\x85\xb1_(#\x02\xe6\x92L\xf6\xb6\xf8<\x80\xb7v\xc8\xec\x83tZ\xfd4\x9f\r\xea>?\x1d\xbb\x9b\xe3\xe1"\xc9W\x9e\x80\xdc\x0e\x16t\x06\x8e\x86~q\x82\xd2,\xaaa\xb1\x06+4k\x1dg\xf7CXF'
>>> 

with original version:
python3
Python 3.8.12 (default, Sep 12 2021, 19:57:22) 
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import M2Crypto
>>> M2Crypto.EVP.pbkdf2(b'foo', b'abc', 1, 74)
b'2n\x13\xdd\xab\xb1N\xbc\xc0\xb3\x16\x85\xb1_(#\x02\xe6\x92L\xf6\xb6\xf8<\x80\xb7v\xc8\xec\x83tZ\xfd4\x9f\r\xea>?\x1d\xbb\x9b\xe3\xe1"\xc9W\x9e\x80\xdc\x0e\x16t\x06\x8e\x86~q\x82\xd2,\xaaa\xb1\x06+4k\x1dg\xf7CXF'

It seems to work without difference.
Comment 6 Herman Viaene 2022-07-30 11:50:22 CEST 
Followed Comment 5 and got the feedback as shown there, so this should be OK.
Tx papoteur.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2022-08-01 14:07:45 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-08-03 00:20:56 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-08-05 23:01:54 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0274.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED