Bug 1758704 (CVE-2019-14853)

Summary: CVE-2019-14853 python-ecdsa: Unexpected and undocumented exceptions during signature decoding
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apevec, bbuckingham, bcourt, bkearney, btotty, dajohnso, dfediuck, dmetzger, eedri, gblomqui, gmccullo, gtanzill, hhudgeon, hkario, hvyas, jhardy, jjoyce, jprause, jschluet, kdixon, lhh, lpeer, lzap, mburns, mgoldboi, michal.skrivanek, mmccune, orion, rchan, rjerrido, roliveri, sbonazzo, sclewis, sherold, simaishi, sisharma, slinaber, spacewar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-ecdsa 0.13.3 Doc Type: If docs needed, set a value
Doc Text:
An error-handling flaw was found in python-ecdsa. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:53:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1760095, 1758705, 1758706, 1762802, 1762803, 1779461, 1807859    
Bug Blocks: 1758708    

Description Pedro Sampaio 2019-10-04 22:41:10 UTC 
A flaw was found in python-ecdsa. Unexpected and undocumented exceptions can be raised during signature decoding may lead to denial of service in some cases. All the versions between at least 0.5 and 0.13.2 are thought to be vulnerable.

Upstream issue:

https://github.com/warner/python-ecdsa/issues/114

Upstream patch:

https://github.com/warner/python-ecdsa/pull/115

References:

https://github.com/warner/python-ecdsa/blob/bb359d32e93acc3eb4d216aff4ba0e7531599cfb/ecdsa/keys.py#L98-L113
Comment 1 Pedro Sampaio 2019-10-04 22:42:01 UTC 
Created python-ecdsa tracking bugs for this issue:

Affects: epel-all [bug 1758706]
Affects: fedora-all [bug 1758705]
Comment 2 Alicja Kario 2019-10-07 14:12:00 UTC 
Version 0.13.3 of the library, that addresses this issue has been released:
 * https://pypi.org/project/ecdsa/0.13.3/
 * https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
Comment 15 Doran Moppert 2019-12-10 00:00:58 UTC 
Statement:

Although Red Hat OpenStack Platform ships the flawed code, RHOSP does not actually use python-ecdsa's functionality. As such, Red Hat OpenStack Platform will not be providing a fix for python-ecdsa at this time.

Current releases of Red Hat Virtualization Manager no longer includes python-ecdsa as a dependency.  While it remains available in repositories as a legacy dependency, it is not installed by default and its use is not recommended.
Comment 16 Yadnyawalk Tale 2020-01-21 11:45:02 UTC 
Red Hat CloudForms Management Engine 5.9 (4.6), 5.10 (4.7) and 5.11 (5.0) is not affected since we don't ship python-ecdsa. Cloudforms 5.8 (4.5) however vulnerable but unsupported by Red Hat by December 1, 2019.
Comment 17 Yadnyawalk Tale 2020-01-21 11:53:50 UTC 
External References:

https://github.com/advisories/GHSA-pwfw-mgfj-7g3g
Comment 32 errata-xmlrpc 2021-11-16 14:07:42 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702