From 237d4427b7fa134047ab2898229ebcd47784abe1 Mon Sep 17 00:00:00 2001 From: markeryang Date: Tue, 15 Dec 2020 14:36:14 +0800 Subject: [PATCH] fix CVE-2020-25658 --- ...0-13757.patch => 0001-CVE-2020-13757.patch | 0 0002-CVE-2020-25658.patch | 62 +++++++++++++++++++ python-rsa.spec | 8 ++- 3 files changed, 68 insertions(+), 2 deletions(-) rename 0001-Fix-CVE-2020-13757.patch => 0001-CVE-2020-13757.patch (100%) create mode 100644 0002-CVE-2020-25658.patch diff --git a/0001-Fix-CVE-2020-13757.patch b/0001-CVE-2020-13757.patch similarity index 100% rename from 0001-Fix-CVE-2020-13757.patch rename to 0001-CVE-2020-13757.patch diff --git a/0002-CVE-2020-25658.patch b/0002-CVE-2020-25658.patch new file mode 100644 index 0000000..7a57f10 --- /dev/null +++ b/0002-CVE-2020-25658.patch @@ -0,0 +1,62 @@ +From dae8ce0d85478e16f2368b2341632775313d41ed Mon Sep 17 00:00:00 2001 +From: sybrenstuvel +Date: Sun, 15 Nov 2020 15:18:38 +0100 +Subject: [PATCH] Fix #165: CVE-2020-25658 - Bleichenbacher-style timing oracle + +Use as many constant-time comparisons as practical in the +`rsa.pkcs1.decrypt` function. + +`cleartext.index(b'\x00', 2)` will still be non-constant-time. The +alternative would be to iterate over all the data byte by byte in +Python, which is several orders of magnitude slower. Given that a +perfect constant-time implementation is very hard or even impossible to +do in Python [1], I chose the more performant option here. + +[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ +source link:https://github.com/sybrenstuvel/python-rsa/commit/dae8ce0d85478e16f2368b2341632775313d41ed + +Signed-off-by: sybrenstuvel +--- + rsa/pkcs1.py | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py +index cdf830b..7b210a5 100644 +--- a/rsa/pkcs1.py ++++ b/rsa/pkcs1.py +@@ -30,6 +30,7 @@ to your users. + + import hashlib + import os ++from hmac import compare_digest + + from rsa._compat import b + from rsa import common, transform, core +@@ -235,17 +236,20 @@ def decrypt(crypto, priv_key): + # Detect leading zeroes in the crypto. These are not reflected in the + # encrypted value (as leading zeroes do not influence the value of an + # integer). This fixes CVE-2020-13757. +- if len(crypto) > blocksize: +- raise DecryptionError('Decryption failed') ++ crypto_len_bad = len(crypto) > blocksize + + # If we can't find the cleartext marker, decryption failed. +- if cleartext[0:2] != b('\x00\x02'): +- raise DecryptionError('Decryption failed') ++ cleartext_marker_bad = not compare_digest(cleartext[:2], b'\x00\x02') + + # Find the 00 separator between the padding and the message + try: + sep_idx = cleartext.index(b('\x00'), 2) + except ValueError: ++ sep_idx = -1 ++ sep_idx_bad = sep_idx < 0 ++ ++ anything_bad = crypto_len_bad | cleartext_marker_bad | sep_idx_bad ++ if anything_bad: + raise DecryptionError('Decryption failed') + + return cleartext[sep_idx + 1:] +-- +2.27.0 + diff --git a/python-rsa.spec b/python-rsa.spec index 6552d11..44f2701 100644 --- a/python-rsa.spec +++ b/python-rsa.spec @@ -1,13 +1,14 @@ Name: python-rsa Version: 3.4.2 -Release: 13 +Release: 14 Summary: Pure-Python RSA implementation License: ASL 2.0 URL: http://stuvel.eu/rsa Source0: https://pypi.python.org/packages/source/r/rsa/rsa-%{version}.tar.gz BuildArch: noarch -Patch1: 0001-Fix-CVE-2020-13757.patch +Patch1: 0001-CVE-2020-13757.patch +Patch2: 0002-CVE-2020-25658.patch %description Python-RSA is a pure-Python RSA implementation. It supports @@ -52,6 +53,9 @@ mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt-bigfile $RPM_BUILD_ROOT%{_bindir}/pyr %{__python3} setup.py test %changelog +* Tue Dec 15 2020 yanglongkang - 3.4.2-14 +- fix CVE-2020-25658 + * Fri Oct 30 2020 yanglongkang - 3.4.2-13 - remove python2 dependency