SUSE has issued an advisory on June 18: https://lists.suse.com/pipermail/sle-updates/2024-June/035616.html The problem is fixed in version 1.3.1 or with the following commit: https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1 Mageia 9 is also affected.
Status comment: (none) => Fixed upstream in 1.3.1 and patch available from upstreamSource RPM: (none) => python-authlib-1.3.0-1.mga10.src.rpmCVE: (none) => CVE-2024-37568Whiteboard: (none) => MGA9TOO
Assigning to the Python Stack Maintainers, CC'ing the registered maintainer.
Assignee: bugsquad => pythonCC: (none) => marja11, yvesbrungard
Cauldron is updated with 1.3.1 For Mageia 9: ============= SRPMS: python-authlib-1.3.1-1.mga9 RPMS: python3-authlib-1.3.1-1.mga9.noarch ==============
Status comment: Fixed upstream in 1.3.1 and patch available from upstream => (none)Version: Cauldron => 9Assignee: python => qa-bugsWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
RH mageia 9 x86_64 python3-pycryptodome is necessary to run POC LC_ALL=C urpmi python3-authlib python3-pycryptodome https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-pycryptodome-3.15.0-3.mga9.x86_64.rpm https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/python3-authlib-1.2.0-1.mga9.noarch.rpm installing python3-authlib-1.2.0-1.mga9.noarch.rpm python3-pycryptodome-3.15.0-3.mga9.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ################################################################################################## 1/2: python3-pycryptodome ################################################################################################## 2/2: python3-authlib ################################################################################################## Save POC as authlib-cve.py python3 authlib-cve.py 😈 b'eyJhbGciOiJIUzI1NiJ9.eyJwd25lZCI6dHJ1ZX0.tpczvNyTfgwqIYd3Jyn5YtLlvKCvEYZtE_k804ADsGU' VULNERABLE LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing python3-authlib-1.3.1-1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: python3-authlib ################################################################################################## 1/1: removing python3-authlib-1.2.0-1.mga9.noarch ################################################################################################## python3 authlib-cve.py 😈 b'eyJhbGciOiJIUzI1NiJ9.eyJwd25lZCI6dHJ1ZX0.Oo7esTJGoZG3HiJhq-fAeiOZBDLImAx1hJlC0NVBE5s' Traceback (most recent call last): File "/home/katnatek/qatest/authlib-cve.py", line 41, in <module> data = jwt.decode(evil_token, PUBKEY) File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7519/jwt.py", line 96, in decode data = self._jws.deserialize_compact(s, load_key, decode_payload) File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7515/jws.py", line 101, in deserialize_compact algorithm, key = self._prepare_algorithm_key(jws_header, payload, key) File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7515/jws.py", line 257, in _prepare_algorithm_key key = algorithm.prepare_key(key) File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7518/jws_algs.py", line 57, in prepare_key return OctKey.import_key(raw_data) File "/usr/lib/python3.10/site-packages/authlib/jose/rfc7518/oct_key.py", line 81, in import_key raise ValueError("This key may not be safe to import") ValueError: This key may not be safe to import I am not sure if this is the expected result, I understand it must only produce the message "This key may not be safe to import"
Keywords: (none) => feedback
Hello, No, the error raised is the expected behaviour.
(In reply to papoteur from comment #4) > Hello, > No, the error raised is the expected behaviour. Thank you
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OKKeywords: feedback => (none)
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0238.html
Status: NEW => RESOLVEDResolution: (none) => FIXED