Bug 33315

Summary: python-authlib new security issue CVE-2024-37568
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, marja11, sysadmin-bugs, yvesbrungard
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: python-authlib-1.3.0-1.mga10.src.rpm CVE: CVE-2024-37568
Status comment:

Description Nicolas Salguero 2024-06-19 10:13:48 CEST 
SUSE has issued an advisory on June 18:
https://lists.suse.com/pipermail/sle-updates/2024-June/035616.html

The problem is fixed in version 1.3.1 or with the following commit: https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1

Mageia 9 is also affected.
Nicolas Salguero 2024-06-19 10:14:26 CEST

Status comment: (none) => Fixed upstream in 1.3.1 and patch available from upstream
Source RPM: (none) => python-authlib-1.3.0-1.mga10.src.rpm
CVE: (none) => CVE-2024-37568
Whiteboard: (none) => MGA9TOO

Comment 1 Marja Van Waes 2024-06-20 21:18:20 CEST 
Assigning to the Python Stack Maintainers, CC'ing the registered maintainer.

Assignee: bugsquad => python
CC: (none) => marja11, yvesbrungard

Comment 2 papoteur 2024-06-21 11:47:41 CEST 
Cauldron is updated with 1.3.1
For Mageia 9:
=============
SRPMS:
python-authlib-1.3.1-1.mga9
RPMS:
python3-authlib-1.3.1-1.mga9.noarch
==============

Status comment: Fixed upstream in 1.3.1 and patch available from upstream => (none)
Version: Cauldron => 9
Assignee: python => qa-bugs
Whiteboard: MGA9TOO => (none)

katnatek 2024-06-24 20:10:12 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-06-24 20:27:18 CEST 
RH mageia 9 x86_64

python3-pycryptodome is necessary to run POC

LC_ALL=C urpmi python3-authlib python3-pycryptodome

    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-pycryptodome-3.15.0-3.mga9.x86_64.rpm
    https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-authlib-1.2.0-1.mga9.noarch.rpm        
installing python3-authlib-1.2.0-1.mga9.noarch.rpm python3-pycryptodome-3.15.0-3.mga9.x86_64.rpm from /var/cache/urpmi/rpms         
Preparing...                     ##################################################################################################
      1/2: python3-pycryptodome  ##################################################################################################
      2/2: python3-authlib       ##################################################################################################

Save POC as authlib-cve.py

python3 authlib-cve.py 
😈 b'eyJhbGciOiJIUzI1NiJ9.eyJwd25lZCI6dHJ1ZX0.tpczvNyTfgwqIYd3Jyn5YtLlvKCvEYZtE_k804ADsGU'
VULNERABLE

LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date


installing python3-authlib-1.3.1-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: python3-authlib       ##################################################################################################
      1/1: removing python3-authlib-1.2.0-1.mga9.noarch
                                 ##################################################################################################

python3 authlib-cve.py 
😈 b'eyJhbGciOiJIUzI1NiJ9.eyJwd25lZCI6dHJ1ZX0.Oo7esTJGoZG3HiJhq-fAeiOZBDLImAx1hJlC0NVBE5s'
Traceback (most recent call last):
  File "/home/katnatek/qatest/authlib-cve.py", line 41, in <module>
    data = jwt.decode(evil_token, PUBKEY)
  File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7519/jwt.py", line 96, in decode
    data = self._jws.deserialize_compact(s, load_key, decode_payload)
  File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7515/jws.py", line 101, in deserialize_compact
    algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
  File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7515/jws.py", line 257, in _prepare_algorithm_key
    key = algorithm.prepare_key(key)
  File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7518/jws_algs.py", line 57, in prepare_key
    return OctKey.import_key(raw_data)
  File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7518/oct_key.py", line 81, in import_key
    raise ValueError("This key may not be safe to import")
ValueError: This key may not be safe to import

I am not sure if this is the expected result, I understand it must only produce the message "This key may not be safe to import"

Keywords: (none) => feedback

Comment 4 papoteur 2024-06-24 21:10:26 CEST 
Hello,
No, the error raised is the expected behaviour.
Comment 5 katnatek 2024-06-24 21:23:47 CEST 
(In reply to papoteur from comment #4)
> Hello,
> No, the error raised is the expected behaviour.

Thank you

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Keywords: feedback => (none)

Comment 6 Thomas Andrews 2024-06-25 13:23:05 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2024-06-25 18:12:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0238.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED