!15 fix CVE-2020-25658

From: @markeryang Reviewed-by: @wubo009,@liuzhiqiang26,@small_leek Signed-off-by: @small_leek
2020-12-15 14:50:45 +08:00 · 2020-12-15 14:50:45 +08:00 · 25a427ef5e
commit 25a427ef5e
parent c5438fcdc8 237d4427b7
3 changed files with 68 additions and 2 deletions
--- a/0001-Fix-CVE-2020-13757.patch
+++ b/0001-Fix-CVE-2020-13757.patch
--- a/0002-CVE-2020-25658.patch
+++ b/0002-CVE-2020-25658.patch
@ -0,0 +1,62 @@
+From dae8ce0d85478e16f2368b2341632775313d41ed Mon Sep 17 00:00:00 2001
+From: sybrenstuvel <sybren@stuvel.eu>
+Date: Sun, 15 Nov 2020 15:18:38 +0100
+Subject: [PATCH] Fix #165: CVE-2020-25658 - Bleichenbacher-style timing oracle
+
+Use as many constant-time comparisons as practical in the
+`rsa.pkcs1.decrypt` function.
+
+`cleartext.index(b'\x00', 2)` will still be non-constant-time. The
+alternative would be to iterate over all the data byte by byte in
+Python, which is several orders of magnitude slower. Given that a
+perfect constant-time implementation is very hard or even impossible to
+do in Python [1], I chose the more performant option here.
+
+[1]: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/
+source link:https://github.com/sybrenstuvel/python-rsa/commit/dae8ce0d85478e16f2368b2341632775313d41ed
+
+Signed-off-by: sybrenstuvel <sybren@stuvel.eu>
+---
+ rsa/pkcs1.py | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/rsa/pkcs1.py b/rsa/pkcs1.py
+index cdf830b..7b210a5 100644
+--- a/rsa/pkcs1.py
+++ b/rsa/pkcs1.py
+@@ -30,6 +30,7 @@ to your users.
+ 
+ import hashlib
+ import os
+from hmac import compare_digest
+ 
+ from rsa._compat import b
+ from rsa import common, transform, core
+@@ -235,17 +236,20 @@ def decrypt(crypto, priv_key):
+     # Detect leading zeroes in the crypto. These are not reflected in the
+     # encrypted value (as leading zeroes do not influence the value of an
+     # integer). This fixes CVE-2020-13757.
+-    if len(crypto) > blocksize:
+-        raise DecryptionError('Decryption failed')
+    crypto_len_bad = len(crypto) > blocksize
+ 
+     # If we can't find the cleartext marker, decryption failed.
+-    if cleartext[0:2] != b('\x00\x02'):
+-        raise DecryptionError('Decryption failed')
+    cleartext_marker_bad = not compare_digest(cleartext[:2], b'\x00\x02')
+ 
+     # Find the 00 separator between the padding and the message
+     try:
+         sep_idx = cleartext.index(b('\x00'), 2)
+     except ValueError:
+        sep_idx = -1
+    sep_idx_bad = sep_idx < 0
+
+    anything_bad = crypto_len_bad | cleartext_marker_bad | sep_idx_bad
+    if anything_bad:
+         raise DecryptionError('Decryption failed')
+ 
+     return cleartext[sep_idx + 1:]
+-- 
+2.27.0
+
--- a/python-rsa.spec
+++ b/python-rsa.spec
@ -1,13 +1,14 @@
 Name:           python-rsa
 Version:        3.4.2
-Release:        13
+Release:        14
 Summary:        Pure-Python RSA implementation
 License:        ASL 2.0
 URL:            http://stuvel.eu/rsa
 Source0:        https://pypi.python.org/packages/source/r/rsa/rsa-%{version}.tar.gz
 BuildArch:      noarch

-Patch1: 0001-Fix-CVE-2020-13757.patch
+Patch1: 0001-CVE-2020-13757.patch
+Patch2: 0002-CVE-2020-25658.patch

 %description
 Python-RSA is a pure-Python RSA implementation. It supports
@ -52,6 +53,9 @@ mv $RPM_BUILD_ROOT%{_bindir}/pyrsa-decrypt-bigfile $RPM_BUILD_ROOT%{_bindir}/pyr
 %{__python3} setup.py test

 %changelog
+* Tue Dec 15 2020 yanglongkang <yanglongkang@huawei.com> - 3.4.2-14
+- fix CVE-2020-25658
+
 * Fri Oct 30 2020 yanglongkang <yanglongkang@huawei.com> - 3.4.2-13
 - remove python2 dependency