Bug 1210757

Summary: python-debian: GPG keys verification bypass (similar to CVE-2015-0840)
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, cperry, ggainey, jrusnack, meissner, mkollar, msuchy, sherr, taw, thomas, tjay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-debian 0.1.27 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-15 07:44:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1210758, 1210759    
Bug Blocks: 1210762    
Attachments:
Description Flags
upstream patch none

Description Vasyl Kaigorodov 2015-04-10 13:46:31 UTC 
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782276:
"""
While dealing with the dpkg security issue (fixed in 1.16.16, and the
upcoming 1.17.25), I checked other implementations and found that it
also affects the python-debian modules.

The parser is too lax and accepts any whitespace while GnuPG only
accepts [\r\t ] at the end of an Armor Header line, which means that a
message could be doctored to include lines that will be ignored by GnuPG
but parsed by the python-debian modules.
"""

This issue is similar to bug 1210748, the patch is attached to the Debian bug.
Comment 1 Vasyl Kaigorodov 2015-04-10 13:47:48 UTC 
Created python-debian tracking bugs for this issue:

Affects: fedora-all [bug 1210758]
Affects: epel-all [bug 1210759]
Comment 2 Ján Rusnačko 2015-04-14 13:58:26 UTC 
Created attachment 1014333 [details]
upstream patch
Comment 3 Miroslav Suchý 2015-04-14 16:48:33 UTC 
Upstream released new version 0.1.27, which fix this issue. The tar file will be accessible in matter of hours, I will rebase the package tomorrow.
Comment 4 Ján Rusnačko 2015-04-15 07:37:51 UTC 
Analysis:

The vulnerable line was introduced in commit 785cef6faca4496549946a552a03b988871b6e3b authored 2014-08-25 as a fix for #695932. The 0.1.21, which is currently present in Fedora and EPEL was released 2014-06-01 and does not contain the vulnerable code.